The Reality of Cybersecurity Awareness Programs and Their Shortcomings
by Michael Dehoyos
Companies have to focus on the culture and governance to make any real progress for cyber security behavior, but unfortunately a lot of the cyber security awareness programs only focus on superficial methods. We’ll explore here the main issues with cyber security awareness programs and where we can go from here.
1. The concept that cyber security is the responsibility of every employee.
This is a tricky argument and one that can quickly become dangerous. When businesses say that something is every employee’s responsibility, it can quickly become nobody’s responsibility. What matters is acknowledging that each employee has a key role to play in keeping the company secure, but the way in which they do this vary and businesses need to communicate those differences to each staff member. For example, it’s pointless telling every employee not to open attachments because some, like HR employees who receive CVs by email, are required to open those attachments to do their job.
Furthermore, each employee will only be engaged in cyber security as long as they’re engaged with the company, and its values and culture. When you care about something, you naturally want to protect it. Staff who are disengaged will most likely not be interested in accepting those strict measures. According to Fran Hayles, a tech writer at Brit Student and Write My X, “that’s why a cyber security awareness program cannot rely on a generic message like cyber security being every employee’s responsibility. This also has to come from the top and all levels of management need to be leading by example and showing their best practices.”
2. The idea that people are the weakest link.
In reality, it’s quite possible that people are the weakest link, but it can be for different reasons and in different ways depending on the company. To be able to get to that sentence, companies must fully examine all of the threats they’re facing, such as an insider threat in a high-ranking financial business. The key is to understand the motivations behind employees that leak out sensitive information. It usually comes down to reasons of corporate culture, management, and governance.
If employees don’t feel engaged with the company, they don’t understand its objectives, or they’re disengaged and don’t feel they belong, that’s a risk. Staff should be onboarded in a way they can understand the purpose and feel a loyalty or need to protect the company and its assets. A lot of this comes down to how HR and senior management can help engage employees.
3. Cyber security is completely about awareness is a myth.
Many people have experienced virus attacks, fraud, data breaches, and more. People are used to these layers of security all around. The same security instructions have been going around for decades (change your password, don’t make it too simple, etc.). So how come the businesses who have spent hundreds upon hundreds of dollars on security awareness programs have not been successful?
Too many of them focus only on educating people about security without making them understand the importance and how to act to handle it. Knowing or awareness isn’t enough. There must be incentives to act in addition to the awareness. There are no clear success criteria, too much stock put in fake phishing campaigns to “trick” employees, making them feel embarrassed and frustrated. Companies can address this in a real, concrete way, to run actual metrics on their security solutions. As per Robbie Weir, a security analyst at Australia2Write and Next Coursework, “they must have panels of employees to represent the company, create measurable security awareness questionnaires, deploy cyber security campaigns, and measure results.”
4. Building a successful cyber security program.
There are five key aspects to building a culture change program around cyber security. It includes finding a champion for the program at the top level of the company, creating clear responsibilities and accountabilities for cyber security, avoiding ready-made solutions, running your campaign on the survey results and defining clear success metrics. If engagement levels are low, you must have a broad scope to get to all employees. Finally, make your messages specific and achievable for all employees in their teams, and not just for the chief information security officer. Create incentives that will make staff want to act and be a part of it.
About the Author
Michael Dehoyos, a content marketer and editor for PhD Kingdom and Academic Brits, shares his cyber security and online hacking developments with his readers. He enjoys finding easier ways for companies to become more secure and successful. Michael also writes for Origin Writings.