teissTalk: How effective is your security awareness programme?

teissTalk: How effective is your security awareness programme?

teissTalk host Jenny Radcliffe was joined by Stuart Coulson of Hidden Text; James Hamon, Chief Information Security Officer, Financial Ombudsman Service; Veroniki Stamati, Information Security and Privacy Engineering Lead, Skyscanner; and Johan Dreyer, EMEA Field CTO, Mimecast.

Views on news

The news on NCSC urging businesses to review and re-design their BYOD strategies had a mixed reception by the panel. There is no denying that as life is bouncing back to normality the so called “just make it work!” mentality that helped businesses stay afloat during the pandemic needs revisiting.

Organisations have been taking long to design and implement their own BYOD policies with 51 per cent still not having any such policies in place by November 2020 according to a Bitglass study. The news article quoted senior platform researcher “LunaR”, who warned in a blog post that admin access to company resources given to BYOD users needs to be revoked immediately and reassigned in a premeditated fashion.

However, the panel agreed that it’s counterproductive for information security professionals to become the department of NO! Cybersecurity programs have to be more soft-touch and alternative ways need to be identified to tackle the security concerns that BYOD permissions entail. Skyscanner, for example, went down the route of upgrading employees’ devices, which, although it had a price tag attached to it, helped the company sidestep the types of risks that other companies now need to address. Programmes have to be relatable, as well as adoptable to be impactful.

What is the measure of success when assessing cyber security awareness programs?

Assessment shouldn’t necessarily happen through traditional testing, but, rather, by watching out for positive behavioural changes. The fact that staff come to you proactively with their cyber security related questions and problems or get more confident about reporting the issues they may have brought about is a sign that your programme has achieved some very good results. Gamification is a great tool to make learning more effective and team scores and leader boards can generate high interest and motivation, but it can’t be adopted by every organisation and participants can easily get carried away in the heat of a team competition. It seems that a dedicated cyber security awareness role is not on the agenda yet, and related responsibilities – as the job titles of our panellists suggest –  will continue to stay with CISOs and CTOs for some more time.

Panellists’ advice

To assess a cyber security awareness program, measure staff’s engagement and how much they have understood in a way that resonates with your corporate culture.

Make your cyber security awareness programme continual by releasing weekly audio and video podcasts, newsletters and ad-hoc messaging.

Don’t let competitiveness hijack the original purpose of the programme when relying on gamification in cyber security awareness training.

Stuart’s tip on how to start a career in cyber security: Be passionate about the subject and get a general qualification first! Start with a CISSP!

Copyright Lyonsdown Limited 2021

Top Articles

2,500 years of Threat Intelligence

In order for threat intelligence to deliver as promised, we need to heed Sun Tzu and start with a data-driven approach.

Don’t fall foul of homoglyph web domains

Homoglyphs are characters from other scripts, which can look like Latin letters. They are used in domain names and they are very hard to spot.

Cyber attack targeted Spanish beer maker Damm; halted brewery operations

Damm, Spain's second largest beer-making company, suffered a major cyber attack targeting one of its IT systems last week.

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]