teissTalk: Is your hybrid security awareness programme helping or harming your organisation?

teissTalk host Thom Langford was joined by Oscar O’Connor, Chief Storyteller, Oscar O’Connor & Co.; and Keil Hubert, Head of Security Awareness & Training, OCC.

 

Views on news

 

The language of cyber security wasn’t originally designed for narratives targeted at a wider audience. Users are often burdened with knowledge that security professionals should be aware of about but is irrelevant for them. Policies for users should be concise and digestible, otherwise there will be the risk of losing audiences.

 

On average, companies spend only 2% of their cybersecurity budget to get their messages across. Meanwhile, as new figures compiled by email security specialist Tessian have revealed, two-thirds of employees don’t bother to pay attention to cyber security training, “home-brewed” PowerPoint presentations are failing to impact employees across the board and only one in three users is satisfied with their IT or security team’s communications.

 

Tips on what security leaders could do better included playing an active role at key touchpoints during an employee journey with the organisation, such as onboarding, role or office changes, and offboarding. 

The point of awareness programmes should be to make employees behave in a way that doesn’t harm their organisation. However, if not done well, phishing simulations, for example, can build resistance in staff as it may construe it as bullying. In order to successfully change your employees’ mindset, you need to educate and train them, as well as raise their awareness of what the company’s security policy is.

 

Reflecting a more human approach, principle-based policies seem to work much better in creating a resilient cyber security culture than detailed, prescriptive rules. However, unless the organisation already has a robust corporate culture with accountability and oversight at its heart, principle-based policies may breed bias and abuse too and, therefore, their effectiveness can vary from country to country.

 

Recharacterizing phishing simulations

 

It is common to say that cyber security in a home-working environment is invariably worse than in offices, forgetting about how poor an office’s cyber defences can get. Hybrid security awareness programmes currently sold by vendors are often repackaged versions of pre-pandemic solutions.

 

Hybrid work is not a completely new concept, as business operations were distributed in the past too with regional and international offices, salespeople on the road, etc.  in fact, with the proliferation of home offices, similar security controls need to be implemented as pre-pandemic, with a bit of adaptation and at scale.

 

As for phishing awareness campaigns, they may do more harm than good by irritating users and providing opportunities for blaming and shaming. If an emailing system is well-designed, the number of phishing emails getting through it will drop dramatically anyway removing most of the problem.

 

What employees fail to learn during a phishing simulation is what protection they can get from phishing and fraud in general and how to report it. There has been some disagreement in the panel, though regarding the overall effectiveness of phishing simulations. Oscar believes that employees would be better off getting some training about fraud in general than on its specific types, such as phishing, smishing or vishing.

 

Meanwhile, Keil maintains that they can be effective in changing behaviour when not regarded as a test of users’ abilities but rather as a way of teaching them the tricks that scammers use – while also changing the language from “you’ve failed this test” to “we’ve got you with this trick, let’s see, how! It should sound more like a treasure hunt than a stick.  And, first and foremost, it should be about training users’ instincts.

 

The panel’s advice

 

The most effective messages are short, single-topic and repeated several times.

 

The goal of your cyber training programmes should be helping your users solve their problems, as well as build credibility and rapport with them.

 

It’s possible to condense 40 pages of a company security policy into six statements that stick.

 

Interweave team meetings with 5-minute Q&A sessions or security exercises.

 

Turn your hybrid security awareness programme from a lecture into a conversation demonstrating to your staff that you mean to support and empower them.

 

Watch on-demand here.