Cyber security is high on the agenda of many businesses, but implementing a strategy successfully involves more than technology and tools. People are equally important, and they need to buy-in to the strategy too.
However, while security professionals may find phishing scams easy to ignore, there are others within the business that may not care to understand the difference between a phishing email and a legitimate one.
But despite many of the CISOs at Infosecurity Europe 2014 believing that awareness of cyber issues have grown within the workplace, Andy Jones, CISO at Maersk Line, believes that the opposite is true.
“How long have we been doing awareness, and we keep expecting a different result?” he states.
But perhaps a different approach is required, as David Cass, CISO of information solutions provider Elsevier, tells delegates at the conference.
“No one wants to sit through 45 minutes of security awareness training,” he says, suggesting that companies have to create awareness of security issues in a short and easily digested way.
The best way, Channel 4 CISO Brian Brackenborough believes, is by speaking to employees about consumer security protection, in the expectation that this will make them think about the same problems at work.
“We try speaking to them about antivirus and how they use it at home, and once they associate themselves with it, they start thinking about it at work,” he says.
Insurance firm AXA UK has lunchtime drop-in sessions for employees who want to learn more about protecting their own devices.
“We’ve had lunchtime drop-in sessions where we’re not talking about corporate security but consumer protection, and people want to hear about this. If you’re talking about taking steps to protect the consumer, it is very similar to some of the steps in protecting corporate PCs,” says the firm’s head of security, Michael Colao.McAfee CTO EMEA Raj Samani states that there is a “real appetite” for organisations to deploy this method, but warned that educating employees demands constant attention.
“Using one approach will likely result in a drop off in interest, therefore organisations should connect with employees over their use of technology within the home, but also consider alternative methods,” he says.
One such suggestion, says Bill Walker, technical director at QA Training, is creating an app that appears to shut down employees’ machines, then informs them that they have just been attacked and that all of their emails and data have been lost.
“When you then tell them that this was a drill, they would sit up and listen. It’s one of those things that people only take seriously when they see the consequences directly,” he says.
The problem is that many employees have an ‘it will never happen to me, so I’m not worried’ attitude, he adds.
Indeed, the Home Retail Group, owner of retailers Homebase and Argos, used a different technique to raise awareness of phishing emails, and how to avoid them.
“We got a guy dressed up as a gnome and went out across the office and handed out pamphlets and asked the employees to come to us if they had any questions. After a couple of weeks we had been very successful in ensuring that phishing emails were no longer an issue,” Home Retail Group’s head of information security, Lee Barney, explains.Techniques such as this may be beneficial to the business at the simplest level, but perhaps of greater importance is to maintain a constant dialogue between employees and security teams to ensure that security protocols aren’t hampering productivity.
“What we don’t do as security professionals is to truly go out and ask the end user what’s acceptable and what’s not,” Nike VP and CISO Bill Dennings emphasises.
But once the security team does communicate with the end user, and personalises security for them, what should organisations do next?
Training is one option and, according to Samani, there are various options businesses can pursue, but the most important thing is to measure the success of any training.
“To give an example, where call centres are used the organisation may want to consider tiger testing to determine whether the education method being used is working,” he says.
QA’s Walker suggests that a short video session could be beneficial, as long as it is exciting and informative.
“A short video session can be great if it really resonates with them. They need to go away thinking ‘I must do things differently to protect myself – I now understand the risk to me and my company – I always thought cyber security was just an IT issue.'”
Computing and QA Training’s Securing Talent campaign aims to raise awareness of the growing need for people with cyber security skills in industry and government, and for clearer pathways into the cyber security profession.