In this opinion piece, Gerald Beuchelt, CISO of LogMeIn, considers how companies can develop and maintain a culture of security awareness.
There is no question that digitalisation has brought newfound opportunity to businesses; however, as we are all painfully aware, it has also made them more vulnerable to security risks. Perhaps unsurprisingly, it’s the human factor which is increasingly the weakest link in the security chain.
Whether it’s the rise of remote working with people choosing where they work, or the blending of personal and professional devices as networks are opened to large volumes of unsanctioned devices.
Last year was touted as the year of the data breach, with the number of breaches resulting in exposed records rising by 54% for the first half of the year. To mitigate potential risks, businesses would do well to implement a universal security culture to stay secure. Here are five key tips to help businesses develop and maintain security awareness among their employees:
1. Security thinking knows no hierarchical levels
Implementing effective security programmes requires every member of staff to be involved. Security awareness is by no means a one way street. Rather, it requires a joint effort on the part of every member of staff, regardless of seniority – everybody must put in their fair share to make the company more secure.
Every member of staff must adhere to and understand a business’s security goals and guidelines, meaning upper management must set a good example and ensure that security is sustainable.
And although we often focus on how to secure your online devices, it is also worth remembering that people can access information through on-premises infrastructure also. It is important to be aware of your physical environment, take note of unrecognised individuals and don’t let people without appropriate accreditation into secure areas.
When it comes to team structures, IT teams are in a unique position in that they communicate with every member of staff – this opportunity should be taken advantage of by ensuring that security awareness spans across hierarchical levels.
2. Security teams must speak the language of the employees
Every change and improvement should be communicated to staff openly and transparently, explaining why a certain solution has been implemented and the impact it will have on their work. The alternative encourages a lack of understanding for which security teams will only have themselves to blame.
Security teams can often be seen as a world apart from other teams, serving to control what people can and cannot do at work. To remedy this, they would do well to regularly communicate with employees face-to-face, making it clear how changes to an organisation’s security infrastructure benefit employees, rather than restrict their work.
This is particularly important with changes to the daily workflow – such as multi-factor authentication – that can often feel like a hindrance especially in the rare case where someone is locked out. Implementing quick and reliable process to remedy this is key to keeping employees onside.
3. The multi-generational workforce
There are now up to four generations working and collaborating under the same roof. Each one of these learns differently; for example, some are more receptive to audio or visual content, while others prefer more practical approaches.
Despite these differences, it’s clear that providing consistent communication is the key to generating strong awareness among team members. Businesses should provide all training and materials across appropriate channels for every type of learner within the workforce. Not only this, but it should begin at an early stage if they are to yield the most impactful results.
4. Communicating security in a playful way
It’s no secret that humour and repetition sticks. Click-through computer-based training does not remotely fulfil these requirements and ultimately only scares employees away from learning about security. By hosting regular education sessions, businesses can ensure that security awareness is ingrained within an organisation as part of its culture.
However, information overload can be a dangerous thing and there are best practices to get your organisation’s security messaging across.
For example, Security teams should tell their security stories in the form of short films depicting specific threat scenarios – this could then be amplified with short tests to ensure employees have absorbed the necessary information. Additionally, escape-the-room setups are modern, playful ways of testing security knowledge.
Here, employees are confronted with security gaps which can only be filled by resolving the issue. This is something that’s been very successful at LogMeIn and many other companies.
5. Security is not a one-time event
No matter how memorable or detailed, a one-off security course will never have a lasting impact. Organisations should think of their security culture as a living organism, constantly evolving in line with emerging threats. Education and training on current and future threats should be ongoing– it’s time businesses begin treating this as a rule, rather than an exception.
Stay secure for the year ahead
Everyone is ultimately at risk when it comes to security breaches – hackers do not distinguish between seniority levels and everybody is at risk, particularly in the digital era where data is a valuable asset.
IT and security teams must make an effort to ensure an organisation’s security protocols are clearly conveyed to each member of staff on an ongoing basis. Not only this, but it must be done on the appropriate channels so that every employee, regardless of their age, can benefit equally.
Employees are too used to undertaking training to simply check a box, and this needs to change. Security teams must revisit the way they amplify security messaging across an organisation and ensure that it sticks, whether that means creating short films, quizzes or collaborative workshops. Tailoring the message to the respective audience is – as always – the key to success.