At the Security Awareness Summit this August in San Francisco, a video clip was shown that highlights the need to develop holistic security awareness. The segment showed an employee being interviewed as a subject matter expert in his office cubicle. Unfortunately, all his usernames and passwords were on sticky notes behind him, facing the camera and audience for all to see.
I bring this story up not to pick on this poor chap but to highlight the fact that security awareness is about human behavior, first and foremost. Understand that point and you are well on your way to building a more secure culture and organization.
My work as director of the Security Awareness Training program at the SANS Institute affords me a view across hundreds of organizations and hundreds of thousands of employees trying to build a more secure workforce and society. As we near the end of this year's National Cyber Security Awareness Month, here are two tips to incorporate robust security awareness training into your organization and daily work.
1. Focus the Training
Changing behavior is hard. But security awareness training shouldn't be. Most training is just too hard for many users. "Too hard" has many definitions: Too long. Too much. Too often. Too boring. Too many behaviors. In general, many organizations make the mistake called cognitive overload, which is when you dump so much on employees that they simply forget it all. Sound familiar? There is a better way. Keep the training short and sweet and focused on what will really mitigate your risks. Avoid cognitive overload by taking the time up front to ensure engagement and relevance.
2. Manage the Top Three
To build a mature security awareness program, you need to identify your top human risks and focus on them. Too often, organizations attempt to eliminate all human risk by covering too many topics. As a result, employees are bombarded with numerous, haphazard behaviors they must follow and too many messages, resulting in cognitive overload.
Often the hardest part of awareness is not determining what to train on, but determining what to cut and not include. One key step is to conduct a human risk assessment for your organization. When I look across the more than a thousand clients we work with and the results of this year's Verizon Database Investigations Report (where over half of the breaches in 2015 were human factor-related), three big human risks emerge.
These top three are a good start, but what's important is managing the risk presented by humans in and around your organization, so take the time to understand what matters for your company and create your own top three.