5 Steps to Building a Cyber-Aware Staff
Category: Best practices, Security awareness
October 10, 2018
Virtually every organization faces cybersecurity threats carrying significant financial, legal and reputational consequences. The bad news is many of these threats cannot be detected, let alone prevented, by even the best IT professionals and technical controls. The good news is this doesn’t mean you have zero options to keep your organization safe from cyber attacks. It only means you can’t do it alone.
Preventing cybersecurity attacks at your organization takes more than technical efforts. It requires a cyber-aware staff and a culture of security awareness to keep your organization safe. The biggest question is: How can you build a cyber-aware staff?
We recently explored this question with Pete Just, CTO of Metropolitan School District of Wayne Township in Indiana, to learn his five-step process for building a cyber-aware staff. Here’s what we learned.
Step 1: Do IT Right
Before building security awareness into the culture of your organization, you must lay the IT groundwork. Focus on reducing risk exposure, meeting compliance standards and installing the technical controls to set your staff up for success.
Why does it matter?
You rely on your staff to take cybersecurity seriously and engage in your security awareness program but your staff relies on you to implement the security infrastructure to help them succeed. Think about your risk, needs and obstacles to achieving your goals and match your IT accordingly.
Step 2: Get Buy-In
You know how important cybersecurity awareness is and so should the leaders of your organization. Getting buy-in from leaders within your organization will help you capture the cross-departmental support you need to make security awareness part of your organization’s culture.
How can you do it?
Involve more than just your IT team when planning your security awareness program. Make sure all leaders understand your goals and ask for suggestions. By including leaders throughout the organization, you can build a security awareness campaign that works for everyone and recruit ambassadors for your program along the way.
Step 3: Personalize Learning Paths
Everyone learns through different methods, at different paces and from different starting points. The only way to make security awareness stick is to personalize training to each employees’ role and security aptitude. This allows you to identify individual knowledge gaps and educate staff accordingly.
What works best?
The best way to personalize learning paths is to construct a one-to-one campaign including security awareness training, phishing simulations and individual assessments. By using these tools in a personalized campaign, you can measure the security aptitude of each employee and automatically tailor training to address their knowledge gaps. You can use this same data to gauge the effectiveness of your security awareness training program over time.
Step 4: Engage Staff & Empower Mentors
Recruiting and training security champions is an effective way to create a culture of security at your organization. Security champions act as ambassadors of your training program and can have greater success influencing the behavior of their peers than management or computer-based training alone.
What’s the best strategy?
Find people outside of the IT department who are excited about security. These are staff members who quickly adopt security best practices and can serve as a technical resource for their coworkers outside of your IT team. You can even incentivize training for security champions to build an even stronger network of peer influencers.
Step 5: Promote & Measure
A successful awareness training program starts with an engaged staff. Engage the entire organization in training — from the summer intern to the CEO. Promote your security awareness efforts, measure the success of your campaign and turn security awareness into a team effort.
What can you do?
Hang posters to reinforce security awareness training, display leaderboards to promote friendly competition or even run contests to reward the most engaged or most improved members of your organization.
Building a secure infrastructure requires a cyber-aware staff prepared to handle threats that slip through your technical controls. At Infosec, we know it can be challenging to address the human element of cybersecurity. That’s why we built Infosec IQ, a solution designed to engage and motivate all learners to care about cybersecurity, improve their security habits and report suspicious activity. Infosec IQ integrates phishing simulations with interactive security awareness training to deliver security coaching personalized to each employee’s role, security aptitude and learning style.