Richard Pain: What advice can you give on changing user behaviour in the most effective way possible?
Steven Sim: Users want instant gratification when it comes to using IT, and phishing simulation exercises can be a good way to counter this. Users that click on the mock phishing emails can be redirected to an educational page where they are immediately taught how to look out for such features.
When sharing cybersecurity best practices one should be making greater use of the carrot rather than the stick approach. For example, when people identify a phishing email and escalate it to the incident response team they should be encouraged. This positive reinforcement definitely helps.
Take the time to showcase what a particular cyberattack can actually do to your systems. As mentioned we do this through live and recorded webcasts, as well as face-to-face demonstrations. However for a large organisation it can be difficult to reach everybody, which is why we also make use of IT security champions.
Richard Pain: Who are these IT security champions and what is their role?
Steven Sim: Our IT security champions are not traditional IT staff; they are people who currently work in a particular department, often at the manager or senior manager level. Their role is to disseminate cybersecurity best practices to their immediate colleagues and if we ever need to investigate suspected breaches, they will facilitate the process.
This has proven especially useful when dealing with staff, who, from their perspective, think that IT security measures demand additional time and effort in their work. So what we did was to have frequent meetings with the IT security champions to bridge the gap, given that these champions understand the issue from both perspectives and as a result are more effective at conveying and embedding proper cybersecurity practices.
Some champions are very proactive and share security concerns, so when they see something suspicious, they report it. It comes back to mind-set -- this is the most important thing. If you approach security without the right mind-set, you're just going through the motions and it's not going to be effective.
To support this model, we organise annual cybersecurity events where we present our IT security champions with certificates or tokens of appreciation and celebrate their roles and contributions across the entire organisation.
Ultimately, if people don't believe in IT security, they won't put their heart into it. Security must be something that they believe in, so they'll do it well, and this approach of promoting cybersecurity from strategic to operational levels is one way of doing this.
Richard Pain: What are your recommendations when trying to push the importance of IT security to other senior executives?
Sign up for CIO Asia eNewsletters.