October is here, bringing the anticipation of fall weather, pumpkin spice lattes, and most importantly National Cybersecurity Awareness Month. As a joint collaboration between the National Cyber Security Alliance and the U.S. Department of Homeland Security, the aim of National Cybersecurity Awareness Month is to build awareness and accountability around information security.
This year’s theme, 'Do Your Part. #BeCyberSmart' encourages “individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability and the importance of taking proactive steps to enhance cybersecurity.” (As a side note, last year’s slightly less poetic, but equally important, theme was ‘Own IT. Secure IT. Protect IT’. Get IT?)
For most organizations, cybersecurity training is a mandatory part of employee onboarding with education on password security, device safekeeping, and other security protocols. This high level approach shortchanges the importance of cybersecurity awareness, making information security an IT issue, rather than an organization-wide concern.
To create a culture of security risk management and personal accountability, organizations can take advantage of National Cybersecurity Awareness Month to bring cybersecurity concerns to the forefront in a meaningful way. Rather than ticking the box on a Powerpoint refresher highlighting cybersecurity best practices, we outlined engaging ways to build cybersecurity awareness into your organization’s culture (and took a cue from our own tireless Infosec team).
1. Find Time to Talk About Cybersecurity
Cybersecurity awareness shouldn't be a one month affair; there’s always something to talk about.
In 2019, the United States experienced 1,473 data breaches, exposing over 160 million records. Everyday, governments, companies and individuals are being attacked. With the broad adoption of remote work due to COVID-19, cybersecurity has further gained in urgency, with the identity and devices of remote workers providing a more permeable “security perimeter”.
More than statistics, sharing the news and case studies on data breaches can help your employees better understand the need for heightened awareness. Examples that resonate include well-known cases such as the Target or Marriott data breaches, the hacking of Twitter CEO Jack Dorsey’s account in 2019, or the sale of Zoom passwords on the dark web earlier this year.
Extend the discussion beyond what happened, and instead analyze how a similar incident would impact your own organization. Consider what that same situation would cost you in customers, revenues, or goodwill? Could you recover? At what point is the viability of your organization at risk?
Anchoring meaningful dialogue and ongoing discussion around current events and cybersecurity incidents elevates the importance of awareness and supports a stronger, more proactive risk management culture.
2. Make it Personal
Building better awareness also requires a more personalized approach.
Consider the potential risk and consequences of a breach in the sales department, with its access to confidential client data or proprietary pricing information. Compare that to a breach in human resources, where personnel, health, and salary information is the key asset at risk. Both of these scenarios have different financial, reputational, and regulatory implications for the organization. By moving the conversation from organization wide to a divisional discussion, employees better understand and internalize their role and responsibility in maintaining information security.
Personalizing the conversation around cybersecurity risk management also builds a deeper understanding of the organization’s security philosophy and practices. Discussing specific challenges facing each department and the broader impact on the organization helps to build a firm-wide culture of shared risk management.
3. Challenge Your Employees
As with anything, hands-on engagement is the best way to learn. Gamification and phishing simulations are two ways to enhance information security awareness through active learning.
Security challenges and games build awareness while encouraging behavioral change. Whether the aim is to introduce enhanced security protocols or more secure password practices, challenging employees through team-based competition is a fun way to build personal accountability, collaboration, and a risk management culture in the workplace. An organization wide social media challenge or checklist, with prizes for adoption or completion, can encourage sound information security practices and generate greater awareness.
Phishing simulations are an effective way to gauge security awareness. Through this exercise, employees are challenged to respond to suspicious activity and practice security protocols in a safe, contained environment, allowing information security professionals to gauge the speed and effectiveness of incident response and assess where revision or further education may be needed.
Cybersecurity awareness is part of everyone’s job. By finding time to talk, personalizing the discussion, and challenging your employees, you build a firmwide security philosophy while encouraging shared responsibility and personal accountability for your organization’s risk management.