When assessing an organization’s security posture, the emphasis to-date has largely focused on the software, processes and technologies used. With 90% of cyber-attacks resulting from human error, it’s time that our security programs undergo a paradigm shift and recognize that properly trained and empowered employees are essential to any effective, new-age security program. Here are three tactics you can implement to ensure that your people are the strongest link in your security chain.
1. Move your employees from aware to care
Security education to date has done a good job creating general awareness surrounding the vital role employees play in threat mitigation, but the challenge today is moving employees from standard awareness to a place where they deeply, and actively care about their impact to cybersecurity.
So, how do we do that?
The first step is to assess your current state of security training. If it consists merely of annual trainings to check audit boxes, it’s time to reassess. Creating and viewing security as a holistic, real-time program rather than individual, one-off trainings works to create a culture of security, where all parties feel invested in the overall protection of an organization on a daily basis, irrespective of their actual role within the organization. Your training program should be designed in a way that helps users and employees fully understand the specific role they play in protecting against security breaches and empower them to make smart decisions in the process. The goal of these programs should be to develop a sense of accountability and responsibility among employees by clearly demonstrating their direct correlation to the overall security posture and its impact on the organization at large.
One way to do this is to shift your view of security training from an annual checklist to a real-time marketing program. When building a program, instinct might lead you to start with content – when that isn’t always the most effective way to build a program. Content is often throwing knowledge at people where messaging needs to be more impactful for a longer-term effect. The most effective way to make it impactful for employees is getting to the “why” while also reiterating the timeliness and relevance of any cyber threats looking to impact your organization. It’s important to think about the context of each individual role and create relatable content that develops their “why” and helps them understand exactly where they fit in their company’s security program.
2. Factor in the human variability
A strong security program is rooted in a strong security strategy — and a key to that strategy is accounting for the nature of variability. Assume that everything that can go wrong, will go wrong at some point, so that you can build your cyber defenses for the worst possible scenarios.
With more remote workers than ever before, the consideration of human variability has never been more important. Security programs need to be tailored to fit the variability of the human experience, so that all employees, whether they sit in a physical office or not, feel connected and empowered to make smart security decisions. In our hybrid work environment, employees are now more dispersed than ever and managing the human variable will prove to be an organization’s greatest threat or its biggest competitive advantage. Pivoting security strategy and programs around that variable will ensure success in the complex landscape of today.
What does a security program rooted in variability look like?
Security leaders must create a training program tailored to the human variable and focused on real-life, real-time scenarios that will emerge in this new hybrid workforce. The goal should be to empower employees with a security-focused way of thinking. Giving them the ability to approach situations outside the cookie-cutter training scenarios safely and apply the same safe principles to various scenarios that might not have been outlined in trainings is especially important.
An effective way to do this is with scenario-based threat awareness trainings. This could entail working through a detailed and realistic description of an actual or hypothetical threat with all stakeholders in the room talking through the exact steps they would take if this threat was happening in real-time. Culturally relevant and timely phishing simulations are another great way to train the security muscle in employees and help identify knowledge gaps across the organization. Your IT and Security teams should also work hand-in-hand in building training scenarios tailored to the variability of a distributed workforce — lessons that speak to the threat of information flowing in and out of the office, to the dangers of working from public areas, to the kinds of attacks that target at-home workers, and more.
If you haven’t already, 2022 is the year to go all-in on zero trust. This means only allowing authenticated and authorized users and devices to access various data and applications. As the remote workforce adds more endpoints outside traditional perimeters a ‘trust no one and authenticate everyone’ attitude becomes increasingly important.
3. Prioritize educating, empowering and engaging employees in building a better security posture
Your job today is to inspire curiosity and confidence in your employees when it comes to security training, while also creating a space where security isn’t intimidating and punitive, but rather exciting and engaging. Offering security team office hours, job shadowing and presenting alternate resources helps to develop curiosity and allows employees to go deeper intellectually and care more deeply about security, not just at work, but in their everyday lives as well. The ultimate goal is to educate, empower and engage employees so that they know their role in the security program and are comfortable and confident in the responsibilities that come with it.
Ultimately, your employees are your greatest strength when it comes to security preparedness. Ensuring that they have had exposure to the threats that exist today, equipping them with the tools they need to stay protected, and fostering a culture of security will ensure they have the know-how — along with willpower — to defend themselves and your organization against cyber threats.