Introduction
All organisations today rely heavily on the internet, information systems, communications systems and collaboration in business, investing significantly in these resources to compete in today’s global marketplace. This investment in these, however, exposes organisations to risks and threats that can result in major losses such as financial, intellectual property, customers and reputation.
To protect from these risks and threats, organisations often resort to security technologies implemented to protect the organisation.
Technology, people and process are the three core components necessary to address the increasing amount of risk associated with physical and cyber security. Unfortunately, technology alone isn’t the answer to addressing security within the organisation. Technology and processes can usually stop around 95% of the threats. That still leaves 5% of attacks coming into your organisation through your people. People are responsible for more security breaches than the other two combined. More than 50% of all breaches are because of human error or other insider threats.
Now, we all know that Security Awareness Training is the solution to this. Run a computer-based course once per year with your staff and all your problems are fixed. Right? – Wrong.
Security awareness training, whether it is run once a year to tick a compliance box or run continuously throughout the year only addresses one small section of the problem.
When most people accidentally click a phishing email, what is the first thing they do? They delete it. They are trying to hide the problem, but this is the worst thing that they can do. The malware is now given time to do the damage that it was intended to do.
What we really want is to address how people behave and the culture that they work in.
We need to look at how people behave in and how they respond to certain circumstances, stimuli, and situations. Knowledge / awareness alone won’t change an organisation’s risk profile. Just because someone has knowledge doesn’t mean that they will do the right thing. If their attitude is wrong, or the corporate culture is bad then their behaviour will be in conflict to their knowledge. A change in behaviour is the only tangible way to address this component of security risk.
Behavioural change comes with knowledge through attitude, impacted by corporate culture to behaviour.
What’s even more important is, with knowledge / awareness alone, there is no way to measure the success of the campaign.
How can you measure your security awareness training program’s return on investment when you have no metrics against how people react, respond, think, or feel?
To truly address the people component of security, measurements against attitude, behaviour, culture, and knowledge need to be made.
Until we all take Security Behavioural Programs seriously, where continuous measurements, refocusing, attitudinal encouragement and a focus towards positive culture based behaviour, human beings will continue to represent a significant component of security breaches.
It is important that Board and executive management are well-informed regarding cyber security risks and their organisation’s preparedness to prevent, detect and respond.
To assist you in reducing your risk to security breaches, Layer 8 Security has developed a comprehensive framework utilising advanced methodologies, tools and systems to provide a comprehensive security knowledge, attitude and behaviour “awareness” program. As a component of the program, Layer 8 Security implements this security program in accordance with NIST and ISO27001 requirements.
Overview
This overview should hopefully assist your organisation to better understand how to address the need to reduce the impact of human error.
This framework is based upon an enormous amount of research, and many discussions with government and corporate organisations ranging from 10 staff to 10,000 staff over the past 6 years.
We have built the framework to address a complete, fully managed service, removing one of the great limiting factors identified recently by the SANS Institute report, the need for staff to manage such a program.
The program encompasses establishing a baseline via a baseline assessment, phishing, spear phishing, whaling and SMS simulated attacks used a teaching moments. To start the change in behaviour, journey the output of the baseline is used to focus staff/departments into key areas of need, the provision of a tailored panel and board discussions, induction courses, tailored training courses run continuously to not impact staff time and availability. Reinforcement materials are incorporated, as well as continuous assessment and testing, and finally a comprehensive ROI of the success of the program.
Baseline
This effectively allows us to undertake a Gap Analysis of your people, what they know, their average attitude towards security, how your current culture impacts their attitude and finally, their behaviour and how they respond to situations. This baseline / Gap Analysis allows us to start to measure the maturity of your staff and the success of the program. Attitudinal factors can be influenced by immediate changes in short-term situations but these are not often long-term influencers.
- Initial knowledge, attitude, culture, behaviour analysis,
- Simulated phishing program encompassing bespoke email phishing, spear phishing, whaling and SMS simulated attacks,
- Simulated USB Drive attacks
- Social Engineering simulated attacks
- Analysis of previous issues relating to human errors,
- Reporting of the results against NIST and ISO27001 best practices,
- Identification of individual & departmental specific requirements
Planning for addressing the training component.
Educate
This process starts with an exciting and engaging interactive session with your staff to help them understand what the program is all about and why they should actively undertake a proactive approach to cyber security awareness. We also undertake executive and board level engagement to ensure that there is not only executive buy into the program, but also a good understanding of the responsibilities, and consequences of their actions.
We then offer to maximise learning and retention with a broad set of focused interactive training modules. Ongoing modules are designed to not impact their busy workload or home life. Short assessments are undertaken on the training modules, two days after the completion of the course. This is done to ensure that they actively remember the content of the training.
To further enhance the experience, this is then followed up with regular face to face engagements to discuss security and to update them on their progress and any new attack vectors being encountered around the world.
- Instructor led discussion groups for staff run. These sessions are expected to comprise 1-hour sessions of interactive presentations and discussions.
- Fully managed security training portal which provides course packages that are SCORM compliant and can be utilised from any standard LMS.
- Induction training incorporating simplified security awareness training as well as interactive instructor-led sessions
- Staff team building and encouragement sessions to increase communications and the willingness to openness and collaboration.
Reinforce
Reminding your employees about best practices is essential and can be undertaken by bringing messaging into the workplace and providing methods for them to report suspicious activity, providing positive feedback for each reporting instance.
- Screen savers, reinforcement materials, games, screensavers, wallpapers, animated videos, posters if required, monthly articles and updates.
These items are configured to exactly fit your corporate standards and culture.
Ascertainment
To further assist our customers, we also offer a service to measure the success of your Program. This program is best combined with our Baseline service which would provide a strong measurement of the success of your program.
To ensure the success of your program, measurement of the success of the participants needs to be undertaken and compared to the results from the baseline assessment done earlier. Just looking at the quantity of help desk tickets is unlikely to provide any insight into the success of the awareness training program. We often find that after the program, the quantity of tickets addressed via the help desk increases as the employees are now more aware of what to look for and hence, what they report to the help desk.
The assessment needs to address such issues as the severity of the help desk tickets, remediation times, how easily employees are fooled by new simulated attacks, a comprehensive analysis survey, as well as the quantity and quality of issues reported to the help desk.
Our Platform’s detailed reporting provides insight into each assessment and education component you choose to include in your security program.
As users are completing their training assignments, we can monitor the results and look back over the data that was gathered throughout the assessment and training steps. You’ll be able to review employees’ interactions with the Security Knowledge, Attitude and Behaviour Risk Profiler, Phishing, Smishing, Social-Attack and/or Drive-By assessments; and our interactive training modules. You’ll have access to detailed information about who completed which assignments, who fell for specific simulated attacks, which concepts employees understand well, how your culture is impacting their attitude, topic areas of weakness, and improvements over time and finally the change in behaviour and the impact that is having on reducing your risk.
At any point in the cycle, we can provide reports as a summary of results to managers, human resources, executives, and any other interested parties.
- Baseline and Risk report.
- Gap Analysis
- Planning for education
- Progressions reports
- Induction Reports
- Ascertainment reports