Awareness of the XXI century
Awareness on cybersecurity is one of the main existing deficiencies and therefore one of the most important lines of action of the security departments of organizations that design and implement training/awareness plans for their employees. But why do we teach cybersecurity training when in fact what we want is to educate the employees of our organization? Do we manage to effectively raise our employees awareness? To address this problem, S2 Grupo has designed ProtectIT, an innovative, practical and very effective way of raising awareness in cyber security.
“People are the weakest link in the security chain”.
Yes, we know the theory and phrases like this are even tiring. Completely agree, but the harsh reality is that the situation remains almost the same as when we started using it many years ago.
- The perception of risk by management teams are not close enough to reality.
- The employees’ level of awareness on cybersecurity is generally low and they are not aware of the role they have to maintain appropriate levels of security.
A hallmark of existing shortcomings and the importance of cybersecurity awareness is the fact that both the National CyberSecurity Strategy of our country and the European one include, explicitly, among its main lines of action:
2013 National Security Strategy:
“Action Line: Culture of cybersecurity. Raise awareness among citizens, professionals and companies of the importance of cybersecurity and the responsible use of new technologies and services of the Information Society”.
Cybersecurity Strategy of the European Union (European Commission, Brussels 2013):
“The Commission invites industry to: Promote cybersecurity awareness at all levels, both in business practices and in the interface with customers. In particular, industry should reflect on ways to make CEOs and Boards more accountable for ensuring cybersecurity”.
Aware of this situation, the security departments of many organizations consider it of top priority to address training/awareness project in cybersecurity for their employees, as the basis of its communication strategy in this area.
However, why do we talk about training and awareness as if they were the same thing? Is it perhaps the same to train as to raise awareness? Here are some of the meanings that the OED provides for both terms:
- Raise, educate, train.
- Said of a person: Put in a formation, courtship, etc.
To raise awareness.
- Make someone aware of something.
- Become aware of something.
As we see, there is an important difference between awareness and training. When we train, in this case on cybersecurity, we transfer to our staff the knowledge they need to protect the information they handle; that is, the policies and procedures to be applied and how.
However, when raising awareness we try to engage and involve employees in protecting the information they manage, through the knowledge and application of the policies and procedures established; but the main difference is that we do not teach them how it is done.
For example, we raise awareness by showing the need to encrypt the information we manage on removable devices and we train in the use of encryption software in order to carry it out.
But, following the same example, the question arises: if the employee does not understand the need to encrypt a document, the reason why, what good is knowing how encryption software works, if he will probably never use it?
Therefore, and this is a very common mistake, why do we give cybersecurity training when in fact what we want is to raise awareness among employees? Is it appropriate to talk about training plans and awareness?
In my opinion it is, as long as we distinguish and are aware that without a prior awareness training is not as effective as we would wish. But if the employee previously understands its need, the logic behind a particular security measure, its application will be much more effective.
Given the solution, the problem we face is that raising employee awareness of cybersecurity is not a trivial task, which industry professionals have been trying to do for years with limited success, judging by the results.
The “traditional ” awareness
We are used to the “traditional” cybersecurity awareness given in organizations being very shallow among employees, who see security measures as an obstacle to the proper performance of their duties. In many cases, cybersecurity is a headache and employees maintain a negative attitude or, at best, indifference to it:
“What do I care if they know my password?”, “Who will want to see the information I handle?”, “That can’t happen to me”, “I have everything under control.”
ProtectIT, an innovative strategy
We can not blame him. If the employee does not see the relationship between the messages he receives and his daily work, it is difficult for him to see cybersecurity as something positive.
To address this problem, in S2 Grupo we have designed a cybersecurity awareness strategy that is innovative, practical and highly effective: protectIT.
Through protectIT, they have conducted classroom sessions in more than 20 Steering Committees of large companies and more than 10,000 employees, and specific awareness actions have been designed through online means for the staff of more than 15 companies, in all cases with excellent results as shown by surveys and subsequent actions.
The aim of protectIT is to get an effective security culture within organizations, increasing the overall level of cybersecurity and reducing the risk of incidents related directly with one of the key components in this matter: people. All this through an innovative project of awareness and information that promotes collective knowledge.
ProtectIT centers its focus on raising awareness in people and their environment, but not through traditional and generally ineffective actions of awareness, but opting for an original, powerful and novel strategy to bring the culture of cybersecurity to the organization.
ProtectIT is not focused on raising awareness among employees, but in people who work in that organization. Although it may seem the same, it is not.
The approach adopted by protectIT is the one from other awareness campaigns of renown success, like those made by the General Directorate of Traffic in preventing accidents, causing the person observing the situation to identify instantly with malpractices and consequences. The conclusion is simple: that could be me.
In the same vein, the ProtectIT approach will introduce shocking but everyday situations to the person, trying to
draw attention to risky behaviors, their consequences and the influence they have on cybersecurity.
This impact gets people to see themselves reflected in their daily routines and take awareness of the importance of protecting the information they handle, “That may happen to me”, but not from a technical standpoint, but through the adoption of safe behavior patterns in the digital realm.
From different scenes “real cases of abuse” are staged and analyzed in the use of ICT and its consequences, which are applicable not only to the professional environment but also the staff. This double vision allows us to go beyond the corporate environment and makes the audience feel emotionally involved; it combines the emotional with the rational, which ensures that the person becomes truly aware of the risks and the need to avoid them.
But impacting does not mean scaring. If the person has the feeling that in the situation described there is no solution, that they are defenseless against the hazards described, not only will the goal not have been achieved but also a climate of indifference towards cybersecurity information will be generated, seeing that, “if I can not do anything, why bother?”
Against this, ProtectIT acts on two levels. In the first, it transfers to people, in simple, nontechnical language, the risks arising from unsafe use of technology in general and information management in particular. In the second, it shows how, by using a set of simple guidelines at a personal level and implementing existing controls in the professional field, you can be protected without major complications.
We must not forget, however, that the working procedures and the type of information that the staff of an organization manages rely heavily on their roles and responsibilities, causing the risks associated with each one to be different at times or have a distinct relevance. For this reason, ProtectIT poses specific awareness actions, addressing the representation from a very personalized approach to the particular circumstances of each group:
- Executive staff.
- Staff in charge of the management of systems and networks.
- Operating personnel Critical Infrastructure.
- Employees of banks.
The only effective way to measure the effectiveness of an awareness raising initiative on cybersecurity is to perform simulations, and that is how ProtectIT sees it. However, a common indicator to all organizations that have carried out ProtectIT and that we have realized is that without exception, employees end up being the ones seeking the implementation of security measures.
Imagine that employees of your organization not only stop seeing security as a headache but even request information, training and protective measures for the information they handle.