AwareGO CEO Ragnar Sigurdsson and Dr. Maria Bada, research associate at the Cambridge Cybercrime Centre have assembled the essential guide to CyberSecurity in their recently published special edition of Cybersecurity for Dummies. The book is bursting with great information to help you turn employees in your organisation into a cybersecurity taskforce. In this blog we focus on how you can develop an Information Security Awareness Strategy using the valuable tips from this book. Click here to check out AwareGO’s training content on Phish Insight
“Cyber-attacks can crush small and medium size companies and severely damage large enterprises. Minimizing these risks as much as possible must therefore be mission critical to all organisations” Ragnar Sigurdsson
A robust cybersecurity strategy is underpinned by the “CIA Triad”; Confidentiality, Integrity and Availability of your systems and data. A critical part of this strategy is Information Security Awareness.
Steps to developing an Information Security Awareness Strategy
- Step 1 – Who are the key stakeholders that need to be part of the discussion? Identifying the right representatives from your company is key in crafting your policy
- Step 2 – Where is the organisation’s current cybersecurity maturity level? “Identify what people know and what they still need to learn”. This can be done through engagement with employees, carrying out simulated attacks and learning from real breaches
- Step 3 – What are your goals? These will be dependent on your organisations people, technologies and processes but you need to set specific targets and define the strategies to achieve them.
- Step 4 – How are you going to get there? You need to consider the resources you have available and whether additional expertise or financial support is required to deliver your strategy
Implementing your strategy
Effective communication with employees is key at this point. You need to make sure that all parties are aware of the company’s, goals, cyber security initiatives and policies. Highlighting the risks that are out there and the role they can play in protecting themselves and the organization will help them buy-in.
AwareGO recommend a number of ways to get the cyber security awareness message across and here is a flavour of them:
- Create a website or space on your intranet dedicated to cybersecurity polices and education
- Develop a classroom education program that explains your company’s cyber security policies
- Leverage online video training modules that employees can access in their own time
- Simulate phishing or social engineering attacks so employees can experience what a real attack looks like.
- Reinforce your message with posters or desktop wall paper that highlight cyber security best practices.
Measuring the effectiveness of your awareness strategy
You need to demonstrate the value and the progress you are making to ensure the continued support of your program.
“No single metric can reveal the full spectrum of human cyber risk, so you have to look at multiple metrics when evaluating an information security awareness campaign. The metrics you use must be meaningful. Make sure they’re specific, easy to interpret, and repeatable.”
AwareGO describe the two key measurements as Awareness metrics and Impact metrics.
- Awareness metrics will demonstrate that employees have gained knowledge of a specific behavior, this can be demonstrated using periodic tests, quizzes or surveys
- Impact metrics demonstrate observable behavior change. An example of this would be an increase in employees detecting and reporting phishing simulations or a decrease in real security breaches
Developing a Cybersecurity culture
“People-centric security focuses on changing security awareness, behavior, and culture in tandem.”
Nurturing a strong cyber security culture in an organization should be the ultimate goal of your awareness strategy. AwareGO describe this as a virtuous circle where your security awareness program triggers behavior change and secure behavior develops a culture of security and this in turn cultivates greater security awareness.
This is not something you can do alone. A commitment and a recognition of the importance of cyber security awareness needs to come from the most senior leaders in your organization. These leaders are often the most vulnerable and the most frequently targeted by cyber criminals, therefore you will also need train them in a way that is appropriate to their role. Doing this and applying the approaches outlined above will ensure you have the right support and resources to deliver a really effective security awareness program.
Login to Phish Insight today to explore how our security awareness platform can support you in your efforts educate employees through phishing simulations and explore AwareGO’s training content in our extensive training library
|AwareGO are a Gartner recognized company with a great track record of delivering a top-quality security awareness training experience. All of AwareGO's content is around 1 minute long and in that time they can deliver a really impactful message with an element of humor that your employees will be able to relate to. Click here to check out AwareGO’s modules on Phish Insight.|