5 Best Practices to Harden Your Human Firewall
Category: Best Practices, Security Awareness Training
November 7, 2018
It’s tempting to picture a perfect security program that ensures your workforce never clicks on a suspicious link or downloads a malicious attachment, but it’s important to remember that security awareness is not an all-or-nothing effort. When building your human firewall through security awareness training, incremental gains are important. Following a few best practices can help you stack your incremental gains and strengthen your human firewall.
We were delighted to speak with featured guest, Forrester senior analyst Nick Hayes about best practices to help build an engaging security awareness program that turns your employees into a proactive component of your security strategy. Here is what we learned.
1. Beyond Awareness, Inspire Action
Don’t just aspire for security awareness. Inspire the behavioral change required to keep your organization safe from security threats.
Inspiring and driving behavioral change requires both ability and motivation from your workforce. As a security practitioner, it is your responsibility to provide the tools and training that enable your workforce to identify and avoid security threats. While ability is the first step towards behavioral change, your workforce must be motivated to turn security best practices into routine action. Even simple gestures such as sharing what interests you about security, incentivizing the right behaviors and celebrating moderate gains can motivate your workforce and inspire behavioral change.
2. Deliver the Right Message the Right Way
What is the right message, when should you send it and through what channels?
Message delivery can be the difference between a successful security awareness campaign and one that fails to engage your workforce. You can’t expect that every email, notification or training reminder will get the attention of your employees and drive the change you intend. Instead, you need to think strategically to not only build the most engaging and relevant content, but to deliver it using the right channels, to the right devices at the right moments. Focus on the frequence of messaging, the relevance of your information and the engagement of your content. By segmenting and monitoring each element of your messaging strategy, you can measure the impact of your message, make adjustments when necessary and ensure your messaging is the driver of your security awareness initiative.
3. Reinforce Your Tone at the Top
Top-down support is important for security awareness success. Communicate your efforts to executives in the most effective way.
Executive support is an important factor in ensuring the long-term success of your security awareness efforts. When presenting security initiatives to executives, think stories before statistics. Describe security scenarios using your colleagues as examples to reinforce the impact of threats and the importance of security awareness. Another useful tactic when presenting your security plan to executives is to align your security goals with your organization’s objectives. When executives see security awareness as a core element of organizational success, it becomes easier to to prioritize and support your program.
4. Mature Your Program With Metrics
Use all data at your disposal to track progress and measure the success of your security awareness efforts.
When running a security awareness campaign, it is important to track training participation, phishing training success and assessment scores. However, you should also strive to go one step further with your program metrics. Can you measure success at both the individual and department level? Can you integrate with third-party applications such as your endpoint protection to attach data points to even more actions? Taking full advantage of your program metrics allows you to become more strategic and tactical with your program while giving you the data to demonstrate value to your organization.
5. Develop a Dynamic Roadmap
Annual, required security awareness training and one-off efforts don’t work. You need a dynamic roadmap to sustain security awareness momentum and behavioral change in the long term.
Long-term behavioral change takes time to take hold. Plan your security awareness program to span at least one year to keep security awareness top of mind and drive lasting behavioral change. While it’s important to think of your security awareness program as a long-term roadmap, it is also important to remain flexible. By building a dynamic roadmap, you can build on the strategies that are working and adjust focus to areas that need improvement.
About Infosec IQ
Infosec IQ integrates phishing simulation and security awareness training in one platform to engage and motivate all learners to care about security, improve their personal security hygiene and report suspicious activity. With a deep library of 1100+ realistic phishing simulations and more than 500 training modules, assessments and support resources, Infosec IQ automatically personalizes learning plans for each individual learner based on their role, security aptitude and learning style.