Distraction is the ultimate challenge in terms of day-to-day computer usage. Its consequences can be detrimental — links that shouldn’t have been clicked, attachments that shouldn’t have been opened, sensitive information that should not have been shared. Then there are network infiltrations, ransomware infections and data breaches. They all trace back to that one word: distraction. Distraction is the opposite of awareness. According to popular belief and standard practices, this so-called “awareness” represents a large part of what’s needed in order to prevent security incidents, or at least minimize their impact, right? Not so fast.
Awareness Is More Than Do’s and Don’ts
In the context of information risk management, security awareness has little to do with user relationships. Instead, statements, proclamations and outright demands from technical professionals tell users to “do this” and “don’t do that,” without any real meaning or reasoning as to why it all matters. I see it all the time in my work, and hear stories from my friends and colleagues. Security is often shoved down users’ throats with little to no explanation. The messages get out, but users are often scolded into conformity, and any benefits are short-lived.
It’s safe to say that most working adults understand the essentials of what they should and should not do on their computer systems. Still, successful user exploits are more common than ever. The most common gap is a lack of proper technical controls to enforce security policies and keep people from making security decisions on behalf of IT. Threats will find their way through, and vulnerabilities will be there waiting for exploitation.
Awareness allows users to focus on what’s important without having to form opinions, judge or even make conscious decisions. It’s about leveraging the common sense we all have and using it in the context of various computer usage scenarios. This doesn’t mean that every user must be a security expert; their day-to-day computer choices must properly address the triggers and responses without having to think much about it, like seeing an email or a pop-up window and immediately knowing what to do. Such behavior is simply the result of good habits, practiced through ongoing repetition, guided by feedback during security awareness and training initiatives.
Identify and Tighten the Gaps
If you want to improve your security program and overall user security education, simply signing up for a subscription-based phishing/training services program is not going to cut it. You must step back and evaluate the bigger picture of what’s going on in your unique business situation. The following steps can highlight gaps and offer opportunities to improve over time:
- What is your riskiest business workflow? Perhaps it’s inbound email, customer service or helpdesk interactions with outsiders. Maybe it’s accepting, reviewing and fulfilling online orders. It could even be something as seemingly rudimentary as financial transactions. You must identify the 20% of scenarios that are creating 80% of your business workflow risks.
- Once you’ve identified the gaps and opportunities, connect with business unit managers, end users and others and ask them how these scenarios can be prevented. This will trigger a solutions-oriented mindset to uncover everything in their day-to-day operations (things that only they are aware of). These are factors that you as a technical professional could not possibly think of, nor technical controls possibly prevent.
- Reflect on how people think. Look at past security events and incidents and see how the root causes are interrelated. Then, think about what users, technical staff and business executives could have done differently. Then, analyze how these lessons can be integrated into your user education initiatives. Instead of individually scolding users when they do something wrong, perhaps you could have a town hall-type of discussion that considers feedback from all perspectives.
- Come up with a plan to implement the changes. Necessary changes will likely require both operational and technical tweaks to your environment. Simply throwing yet another technical control or boring training video at people won’t be enough.
Do what you can to make sure “awareness” is not just that you’ve made your users “aware” of what they can and cannot do on their computers with online videos and web training content. Instead, take the above steps to actually develop their awareness of what’s going on around them all the time, security or not. Instead of your users relying on your security controls to keep everything in check, help them grow and develop themselves. Share with them the concept of needing to collect information, and focus on the important elements of your security program and business, so that they become subconscious habits.
Improving user education requires an ongoing presence on the part of IT and security staff, as well as all users. It’s up to you to establish ways that users are contributing to a positive security posture, rather than taking away from it. If you need to, bring in external experts who might be able to better connect with everyone.
Clearly, traditional approaches to security awareness and training need to be improved. Find your gaps and fix them. It’s better to start now to maintain control, than to put this off until you’re forced to make changes.