Part 4 of a 4-part series in support of National Cybersecurity Awareness Month. You can read part 3 here.
As October comes to a close, so too does National Cybersecurity Awareness month. But not so fast – Security Awareness isn’t just about October. It’s all year long and it never stops, it’s ever evolving.
I developed this four-part blog series during Cybersecurity Awareness Month to provide key industry insights and proven methodologies for building and enhancing your security awareness program. We started in week 1 with building a program strategy, followed up by discussing program content in week 2. Last week focused on the alignment of the security awareness function within the organization. This week we’ll wrap up the series with some key findings published in the 2018 ISC2 Workforce Study. According to the report, lack of focus on security awareness is the top challenge for ensuring long-term security awareness program success¹.
Figure 1, left and 2, right – Image source: https://www.isc2.org/-/media/7CC1598DE430469195F81017658B15D0.ashx
5 Ways to Bring Focus to Security Awareness Programs
As noted in the charts above, there are several reasons, all with fairly equal representation, as to why security awareness programs lack focus. I’m going to break down each of these reasons and explain how you can overcome that hurdle to bring more focus to your awareness programs.
- Low security awareness among end users. This is a no-brainer. It’s important that security awareness programs are rolled out to everyone in the organization, not just select groups. While some programs start with training a few key groups to benchmark results, it’s important to get buy in to enroll the entirety of the organization to build resilience to attacks across all teams with on-going training.
- Not enough skilled cybersecurity professionals available. This report cited end users – people – can lead to more security vulnerabilities², so it’s no surprise to see that the security awareness function sits at the top of the chart as a much-needed area of expertise. Many organizations still assign this as a part time job function along with other security hats to wear, preventing focus. Instead, have a dedicated security awareness lead running the programs while working alongside other internal security professionals to ensure the programs remain well-rounded and effective.
- Inadequate funding. Security awareness is a necessary and essential component to larger threat defense strategy and needs to be a budget priority in order to begin reducing your organization’s cybersecurity risk and building resiliency to today’s top threats. At some point, perimeter technologies will fail to stop a phishing attempt and it’s up to resilient, trained humans to recognize and report suspicious emails – thinking of this as a last line of defense is an area worth investing in.
- Too much data to analyze. As more and more humans are enrolled and participating in security awareness programs, that also means more data points to digest and analyze on the state of threat susceptibility, resilience, program participation and success. Identify and prioritize the key data sets needed to demonstrate the security posture of the organization and collaborate with security teams to report and analyze program trends to reflect changes in that security posture. This may include your organization’s phishing resilience and reporting rates, for example, compared with inflated metrics such as click rates or susceptibility rates.
- Lack of management support/awareness. This is often one of the biggest hurdles in preventing a security awareness program from reaching its full potential and scope. Having management understand the necessity of security awareness as a foundational component of a strong threat defense strategy is key. An idea is to run a phishing simulation trial with key management members to understand how susceptible the organization is from the top down. Once management realizes how easy it is for a phishing email to replicate a real one, there might be more awareness and inclination to engage in security awareness practices than before.
You’ve Launched a Successful Security Awareness Program – How Do You Keep It Successful?
Every day is a new beginning when it comes to cybersecurity. Threats and vulnerabilities are always changing – so your security awareness program needs to be nimble and fluid to mitigate those evolving threat vectors. Behavior improvements are ongoing and so should be your security awareness programs.
Organizations are constantly under attack as the threat actors continue to find ways to get past technical defenses of an organization, such as perimeter technologies and email gateways.
How do you keep your program aligned with the current threats? Reach out to your cyber threat intelligence or incident response teams. These teams are constantly researching the current threat landscape and identifying if and what impact it has on the organization. Download the latest white paper on cybersecurity or threat landscape. Read technical blogs from trusted cybersecurity solution providers to stay abreast of current news and threat trends. Another great resource is setting up Google Alerts for key words: phish email, data breach, malware, cyberattack, cybersecurity, Cofense, awareness training, threat intelligence.
Jumpstart Your Efforts Today with Free Security Awareness Resources
Remember that building a program takes time to evolve and mature. Recognize small wins for the organization and continue to move forward to mature the program. Just as the threats are never ending, so too is the security awareness function.
As you set your priorities for the program, don’t forget that Cofense provides a wealth of training modules for free, which includes specific topics and compliance modules to meet your regulation requirements. If you’re just getting started on building your security awareness program, there are plenty of free security awareness resources available to you when you’re on a shoestring budget, including a turn-key security awareness program kit, posters, presentations and other resources to get you started. Another great place to get access to free resources is the National Cybersecurity Alliance at https://staysafeonline.org/resources/. There are plenty of resources that can also be leveraged to allow your employees to share with their friends and family, especially in this remote work environment.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.
¹Source: “Cybersecurity Professionals Focus on Developing New Skills as Workforce Gap Widens,” (ISC)² Cybersecurity Workforce Study, 2018