Breathe life into your cyber security campaign
How to make users sit up and listen
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
Ah, another day, another government initiative designed to educate users about cyber risk.
The Canadian government has declared October “Get Cyber Safe” month. It has a web site, too, which advises users on how to avoid getting pwned. The advice list includes updating your malware signatures and not giving out your password.
How effective are these nationwide cyber awareness campaigns? And, by inference, how effective might a cyber security campaign for corporate employees be?
After all, technology is never enough to secure an organisation. Smart, alert staff are important too. And unless you can measure how successful a campaign is, it is difficult to justify investing in one.
Unfortunately, it is difficult to know how effective these things are. In May, the Australian Communications and Media Authority published an overview of international cyber security awareness-raising initiatives. It found that there are not many evaluations and no one seems to know whether they work or not.
Just a phase
In its draft National Initiative for Cybersecurity Education, published in August, the US National Institute of Science and Technology divides cyber security awareness into several broad phases: creating awareness, understanding the technical and social aspects, and accepting personal responsibility (security is not simply someone else’s problem).
Organisations evolve from there into acquiring protection tools and knowledge, implementing tools and techniques, and finally maintaining what they have already done through constant knowledge updates.
The Australian report too provides some useful guidelines. It advises cyber security awareness organisers to provide training in specific skills and to include interactive instructional techniques.
Users should be given practical activities and tasks to hammer home the lessons, rather than being taught dry theory that will quickly be forgotten.
The best campaigns also include a reporting function that allows users to report cyber security risks, says the report. And it advises organisers to offer a mix of long-term education and short, specific micro-campaigns.
Culture clash
What might these things look like in practice? We are going to have to use the C-word: culture. If I hear a vendor talk about the “culture of security” one more time, I’ll spit – but it has become a cliché because it is true.
It is hard enough to get people to agree on where to go for lunch
Building cultures is a tricky thing to do because it involves getting everyone behind a single vision. It is hard enough to get people to agree on where to go for lunch, let alone on something as yawn-worthy as a security awareness campaign.
But recent developments in the IT economy might provide the answer.
“Gamification” applies gaming elements to a corporate environment. The point where games and social networks meet turns out to be a pivotal one.
When a company like Zynga (of Farmville fame) files for a $1bn IPO on $850m in annual revenue after three years’ existence, you know that the concept that it is touting has legs.
The social gaming concepts that companies like Zynga promote could tie practical elements, reporting and monitoring into security awareness campaigns.
All play and no work
Gaming elements such as rewards badges, leader boards and progress bars could all be linked to security campaigns. Completing small tasks such as changing your password (and keeping it strong) could earn you points.
How committed are you to avoiding social engineering? Maybe a stooge caller trying to get employees to circumvent company procedures could earn them badges if they stick to the plan. Or mobile workers could be rewarded for connecting their managed laptops to the virtual private network for scheduled patching and maintenance.
Gamification can help keep security at the forefront of employees’ minds and encourage a cultural shift. How effective it can be depends on how imaginative you are, but capitalising on employees’ willingness to play and compete has to be a more effective way to encourage responsible behaviour among employees than simply waving a handbook and finger wagging.
In the second world war, we had posters proclaiming that “Careless talk costs lives” and radio broadcasts warning people of security dangers. Now we have social media and computer games that would have amazed our grandparents to perform the same task. ®
COMMENTS
On the other hand, a 50-buck (or 50-quid) gift card might get some positive attention.
Glaring omission
Ok, so, security is hard because it has this reputation for being cumbersome and hopelessly in the way. Stands to reason because it's long been just shoveled in and indeed, been hopelessly in the way. Essentially, that's attempting to secure things by unspecific blanket because the techies already know there's sensitive data in them thar servers and let's not lose it, hmkay. So why not start there? Actually, there's an even better place to start.
That is to sit down and do a bit of DR Q&A*. Things like "what would happen if $info got copied and sold to the highest bidding competition?" What really are the most important assets that you don't want to lose, don't want to see others hare off with? That's a wonderful focus on securing right there. You'll get a much better response if people know when to care and when they're allowed to slack off a little. Much less tiring that way.
Then get down to practicalities. And I don't mean so much to map who can have what access. While a good idea in theory, it moves too fast in practice to set in stone. And it's the disconnect between what security forces people to do and their expectation of being able to get their work done that is where it bites.
So things like easy handing out of access to those that need it are pretty important. The rub lies in making sure that the ability to map access matches the burden of responsibility. If bosses want do do stupid things, well, that's up to them. Just make sure it's documented who did it. Make it easy to hand out, and natural to take back, and not just upon termination. Make sure that people that do the handing out of access understand what it means and that it's their rep on the line in trusting whomever they're handing the access to. Make sure the ability to do it, the understanding of the implications, and the responsibility for it all coincide.
Then work hard to integrate security to be a natural part of the workflow. About as much effort as unlocking a door, going through, and locking it again, is reasonable for most casual use. Some things need to be streamlined, other things might be justified in being more trouble. There, too, careful arrangement can make a lot of difference.
Now look at what sort of hoops traditional IT "securing" expects people to jump through. That gap, right there, is the chasm to overcome. All the rest is fluff, bells and whistles, nice ideas but not enough. Understand just what it is you're trying to secure first, and that really isn't a technical thing.
* For the rest of us: Play what if... with various disastrous things and what that'd do to the company. That sort of thing you need to know anyway, might as well exploit it for security streamlining and saving some costs by not securing that which doesn't need securing.
Plus ca change...
That's not quite the what-if I had in mind. You're thinking what to do to the users here, and the result isn't very workable. So that's wishful thinking. What would be more productive is to integrate DR and security in such a way that data leaks and such become quantifiable risks to the business. That is, find the pieces of information that would be the most damaging if leaked/lost/whatever, and secure those. Then make it as easy as need be to work with that information in a secure fashion, and make it hard to work with it otherwise. Only then should you try and blame users for not doing the easy and right thing but instead doing the damaging to the company thing that is now self-evidently stupid and actually hard to do. Then getting the sack is fully justified. Without that, it isn't, and you're landing the company in a quagmire of unfair dismissal litigation and other nasties.
For strict to work it has to be fair, too.
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
