Yet, when you look at what appears to be industry standard awareness programs, they rely on phishing simulations and monthly computer based training (CBT) modules designed for the general population. More has to be done.
The standard model works if you are checking a box. It does not work when you want to prevent actual incidents.
To improve this situation, you need to understand that just like people have different job functions, they might need role based awareness programs. You cannot expect to provide the same awareness materials to help desk staff that you would factory workers, and expect the results to be acceptable from both groups.
While you don’t have to provide different training and awareness programs for every conceivable role, it is clear that some roles, such as help desk personnel, engineers, IT, customer service representatives, among other high level categorizations, have specific awareness concerns.
To support role-based awareness, the appropriate policies and procedures must be in place. For example, when the Department of Justice criminal called up the help desk for assistance with access, there should have been clear procedures in place to authenticate callers.
As I previously wrote, awareness programs should represent The Department of How, not the department of no. When you tell people what not to do or, even worse, attempt to scare people, you are not instilling good behaviors, but trying to scare people from not doing the wrong thing. Awareness is about creating the right security related behaviors.
Instilling proper behaviors takes consistent education and reinforcement of all relevant topics. While phishing is a major attack vector on the part of malicious actors, you cannot ignore all other awareness concerns, which is apparently what many organizations are doing. Additionally, you cannot rely on a 3 minute video on a topic, once a year at best, and assume that people will significantly improve employee behaviors related to that topic.
The goal for awareness is to cost effectively reduce risk. This means that you save significantly more money by the incidents prevented, or more efficiently mitigated, than the cost that you invest in the program. It also implies that you have to address all vulnerabilities, created by user behaviors.
There is of course a need for phishing simulations and CBT as appropriate. However by themselves, they are no more effective than saying a network security program is satisfied by the presence of a firewall and anti-virus software.
As stated, focusing on the behaviors related to an individual’s role is what will enhance the effectiveness of awareness efforts. I fully understand that CBT and phishing simulations seem like a simple and easy solution to the problem. Unfortunately, the problem is not simple and the solutions will not be simple either.
Sign up for CIO Asia eNewsletters.