teissTalk: Measuring the effectiveness of your security awareness programme
teissTalk host Geoff White was joined by Dora Ross, Global Information Security Culture Specialist, DAZN Group; Sarah Janes, Behaviour and culture specialist, Layer8; Victoria van Roosmalen, Chief Information Security Officer, Coosto.
Tweaking security messages to different environments
From a security perspective, a mobile is just another computer. But the fact that users have their mobiles in physical proximity may give them a false sense of security, even though the data they store on it is personal and therefore may be more painful to “lose”.
The features unique to mobile phones such as truncated hyperlinks, senders’ addresses not always appearing on the screen, or the extensive use of apps compared to laptops and computers make it more vulnerable to attacks. When new in an information security role, it’s important to make a baseline analysis and have discussions with various business units involved in cyber security to learn about previous breaches, as well as talk to the CISO about their priorities.
Some areas are easier to measure when establishing the security baseline such as compliance, while the effectiveness of communication and engagement is harder and the behaviour side is the trickiest to gauge. Understanding why certain security measures are implemented rather than being told what to do can be key to staff developing some level of security awareness. To assess where the organisation currently is in its security development cycle, assess it against the 5 levels of CMM (Capability Maturity Model).
The panel’s insight about AI-based cyber-security tools
Don’t make important decisions in a heightened state of stress. Always ask yourself if it can put off till a bit later and get done on a laptop or computer rather than on a mobile device on the fly.
To establish the baseline, the best people to talk to is security operations, internet management and legal, employee experience and data protection teams.
Identify the 4-6 most important moments when wrong security decisions can put the organisation at risk and establish what level of knowledge and skills or engagement is required of your users to be able to avoid them.
Use word clouds to present the feedback you received on attitudes to and behaviours around security.
One way of learning about your employees’ security mindset is discussing “bold statements” with them where there is no right or wrong answer only different approaches to the same issue.
Views on news
The time has come to look at securing mobile devices against ransomware, as it’s an attack surface that cyber criminals are already using – with almost every organization having encountered a mobile malware threat in 2020, according to Check Point’s Mobile Security Report 2021.
As we’re seeing an increase in the prevalence and sophistication of mobile ransomware attacks, it’s possible that a threat actor may attempt to gain access to corporate assets or infrastructure through such an attack in the future. According to the report, four in 10 mobile devices are vulnerable to cyberattacks and nearly half had an employee download a malicious app. Therefore, mobile security is increasingly an area that information security training has to cover as a topic under social engineering, for example.
Watch it on-demand here.
Most Viewed
New rules, rising threats: why lean IT teams must rethink cyber-securitySponsored by CORO CYBER SECURITY
Don’t allow AI experiments to become quiet business risksSponsored by alice.io
The Expert View: Reducing cyber-risk across OT and critical infrastructureSponsored by Claroty
Winston House, 3rd Floor, Units 306-309, 2-4 Dollis Park, London, N3 1HF
23-29 Hendon Lane, London, N3 1RT
020 8349 4363
© 2025, Lyonsdown Limited. teiss® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543