Celebrating National Cybersecurity Awareness Month
Infor shares thoughts on cybersecurity training and awareness programs
One of the top security concerns organizations face is human error. Employees have access to internal information, resources, and systems which puts them in a position to cause more damage to an organization’s information and assets than external threats. Approximately 70% of insider breaches are caused inadvertently by human error or negligence. Phishing attacks continue to pose the most significant threat. Approximately 91% of all successful cyber breaches can be traced back to a spear-phishing email. Other human factor related threats include poor password management, use of unauthorized file-sharing platforms, installation of third-party software, unsafe browsing habits, and loss of devices containing corporate information.
Cybersecurity training and awareness programs are no longer just about delivering training materials. They require a holistic approach where cybersecurity messages are delivered through multiple channels, remain consistent throughout the organization, and are reiterated frequently. To aid this effort, there has been a shift in focus from cybersecurity training and awareness programs to the incorporation of cybersecurity values and practices into an organization's culture. An organization’s culture is defined by the shared assumptions, values, beliefs, and ‘social norms’ of the people within it. It has a powerful influence on employee’s attitudes, behavior, and performance. This means that organizations must also work on improving their overall culture to maximize employee engagement and compliance in cybersecurity. Figure 1 provides a visual representation of the factors surrounding a culture of cybersecurity.
A best practice is for organizations to conduct an assessment for each of these factors to ensure cybersecurity messages are consistent. For human factor-related risks, surveys and focus groups can be used to understand employees’ perspective on the culture and cybersecurity, since it’s their behavior we aim to change. In doing this, organizations will be able to:
- Identify which cybersecurity behaviors their employees do well and where there is room for improvement.
- Identify phenomena that could aid or hinder progress with cybersecurity initiatives (i.e. politics, employee recognition schemes, existing policies).
- Understand how employees perceive cybersecurity and their attitudes towards it.
- Determine what would motivate employees to behave securely.
- Identify individual and departmental learning requirements and learning styles.
Once primary data has been collected and systematically analyzed, the objectives to move forward with cybersecurity initiatives will become clearer.
Infor’s security awareness strategy was developed using a combination of professional research and results from employee-focused surveys and focus groups which helped us to identify where improvements could be made. From research, we discovered that gamification can be a great way to get employees engaged in learning about cybersecurity best practices by adding a competitive edge. We developed a couple of courses in-house and made them available through our Learning Management System. Employees should be rewarded and recognized for their efforts in cybersecurity, so we launched our ‘Security Hero’ recognition program where employees can nominate each other for awards based on five recognition values. We are announcing our first round of winners in time for National Cybersecurity Awareness Month.
From surveys and focus groups, we gained valuable insight into some security behaviors our employees exhibit the most and those they don’t as much. This enabled us to identify areas where more focus is needed to ensure our cybersecurity messages are relevant. We discovered that our employees wanted more department-specific cybersecurity training hosted by someone internally as opposed to limiting it to generic computer-based training. Employees also wanted more insight and understanding into the security teams’ projects and initiatives so that they understand the reasoning behind our security-related decisions and the importance of each piece of security software installed on their devices. We also provided additional channels for employees to raise security concerns, with an option to remain anonymous to encourage them to report concerns they would otherwise be reluctant to report.
- Security & Compliance
- North America