teissTalk: How effective is your security awareness programme?

teissTalk host Jenny Radcliffe was joined by Andy Cocallis, Head of Information Security, UK Biobank; Lucy Finlay, Head of Security Education and Training, Aviva; and Ilona Vaiciuniene, Security Awareness Manager, Vinted

Views on news

The UK’s National Cyber Security Centre (NCSC) has launched a significant public awareness campaign to encourage stronger security practices for emails and other digital accounts. The campaign offers actionable cybersecurity guidance to the public, in line with the UK government’s Cyber Aware advice and has been launched across broadcast, online and almost 2000 billboard adverts and will run until May 2022. The NCSC also revealed that its Suspicious Email Reporting Service had received more than 10.5 million reports since launching almost two years ago. This has resulted in 76,000 online scams being taken down. In this initiative, members of the public are encouraged to report suspicious emails by forwarding them to report@phishing.gov.uk.

 

Although strong passwords and 2FA that the campaign focuses on are key to cybersecurity but not enough by themselves. However, the NCSC is best positioned to start an initiative to standardise practices around cyber security across businesses. The initiative is definitely a good start and has the potential to evolve into something much bigger and far-reaching.

 

The challenges of security awareness

 

Security compliance is relatively easy to monitor but the culture change is harder both to bring about and measure. However, the compliance side can be leveraged to accelerate the latter. For smaller companies, security education and training is still a nice-to-have, with often just one person doing the job.

 

Also, to measure the effectiveness of trainings, it’s not enough to keep a record of who turned up but it’s also important to see how behaviours and habits have changed as a result. Data is both a corporate and a personal concern.

 

And understanding what they can lose by the leakage of their personal data can make them act more responsibly when it comes to corporate data. Integrating psychological cues into training and grasping how cognitive biases work can also make cyber security education more engaging. Security champions networks can bring great value and important feedback.

 

A network like this is a great internal investment too as if your champions are well briefed, they will act on your behalf independently. COM-B, the capability, opportunity and motivation behavioural model provides a guide to understanding why a particular behaviour is not engaged in, and how behavioural targets can be identified and used as a focus for interventions.

 

Conducting an anonymous survey is a great way to find out what sort of communication employees are expecting from the security team or think is effective.