Amplify Your Security Awareness Program in 2017
At the end of December I led a webcast reviewing some of the key lessons learned in 2016 and what we can do in 2017 to keep improving the practice, and impact, of security awareness programs. After working with hundreds of clients and awareness officers from around the world throughout last year, here are some specific lessons learned from 2016 and tips to make your program more effective in 2017.
Leverage the Security Awareness Model
Start with the Security Awareness Maturity Model to ground your planning and strategy. The model was developed in collaboration with over 200 awareness officers to help people define and communicate their program. Traditionally most awareness efforts have been compliance focused, however 2016 was the first year we saw organizations reboot and point awareness programs to a goal beyond just compliance. You have to maintain compliance of course but 2017 is the year to take your program to the next level. 2016 was the first time we saw organizations move from compliance to focus on behavior change, culture change and concrete activity around metrics and measurement. There are three reasons driving this.
Better understanding of the challenges
2016 saw an increase in an understanding of awareness challenges. The better we understand the challenges in making awareness stick, the better we will be at uncovering the causes of those challenges and consequently how to overcome those challenges. In 2016 we saw some shocking data in support of this. Nearly two thirds of awareness officers spend less than 25% of their time on awareness activities. Less than 15% of awareness professionals come from soft skills backgrounds - skills that are key to addressing culture and behavior change.
Focus on holistic awareness
In 2016 the conversation moved beyond just computer based training to the entire practice and process of awareness training from a holistic perspective. If all you're doing is touching people 1-2 times per year with mandatory computer-based training (CBT) then the reinforcement isn't there to change behavior or the culture. Rhonda Kelly of Oshkosh (and now Wal-Mart) created a comprehensive awareness communications plan that lays out each day of the year by month and type of engagement. Engagement includes newsletters, training videos and of course phishing training. The plan shows much more than just phishing training which many organizations take as their entire awareness program.
Dr. Angela Saas has a great saying: "Every behavior has a cost." It's never more true than when dealing with the deluge of information contained in the materials of many awareness programs. Conduct a human risk assessment to identify the key human risks you are going to prioritize and then identify the fewest human behavior changes needed to manage those risks.
This is one of the secrets to security awareness. The key is not so much deciding what to teach people but rather deciding what not to teach people.
2016 also saw an increase in the volume and maturity of CEO fraud and business email scams. This is worthy of note because unlike ransomware which is just another form of malware, CEO Fraud has no malicious link to click or attachment to download. It's 100% human behavior dependant. Arm the human recipient with more aware behavior and you drastically reduce the attack surfaces for CEO fraud.
Planning for 2017
Move to long-term sustainability of program and benefits. Go bigger and better. Start to change culture. Ambassador programs are a great ways to do this.
Focus on automation - It's a way to tackle lack of time head on. Get the right training to the right person at the right time. This is a way to address the cost side of behavior change. Automation reduces costs of changing behavior all around.
Focus on metrics - Move beyond phishing metrics. Look at lost devices, what type of data is leaving the organization, etc.
Prioritize risks and behaviors - Lean in to make the hard and tough decisions about what, and what not, to train. Focus on the high risk, big impact behavior. For example the National Cyber Security Alliance focused on "Lock Down Your Login" campaign in 2016. It's a simple but critical message, with just a single behavior, enable two-factor authentication.
Consider focusing on the 3 C's of awareness training. This mental model is a way to address the challenges of 2016 and the opportunities for 2017.
Communication - get a communications staff or expert embedded in the awareness team or program. Beg, borrow or steal your way to access communication expertise.
Collaboration - focus on how to work with other departments as awareness is a team sport.
Culture - know what your culture is and the bedrock values that underpin it to be able to align awareness to those values.