Cybersecurity awareness: The maturity journey

Mike Ouwerkerk of Web Safe Staff

It’s becoming increasingly obvious that in order to mitigate cyber security risk, companies need to train their staff in how to identify and respond to IT threats. When over 90% of IT breaches are via staff, it would be prudent to accept this as major risk.

In its simplest form, there are three stages in the cyber security awareness maturity model:

1. Compliance
   • Do some awareness training
   • Don’t focus too much on results, we just need to say we did something
   • Do it again in a year
2. Awareness & Behaviour
   • Who needs training and for what?
   • Create positive and engaging content
   • Get people onboard
   • Formalise some roles, keep reminding people, and make sure it’s working
3. Culture Change
   • Get people to have a security first mindset, and understand why they are so important
   • Fully resourced program, with management being seen to champion the cause
   • Engaging ongoing initiatives, supported by internal staff (ambassadors)
   • Measurable, and producing cost-saving results

Of course, it’s ideal if you can build an amazing security first culture with highly skilled staff as your main defence, and the results should pay for themselves many times over. Here’s some pointers on how you can get started:

Realise: Staff are your biggest target for IT criminals, and they are also your greatest asset in waiting. Use them wisely to achieve amazing results.

Human Error: For so long we’ve been told that staff being tricked by cyber criminals is human error. It’s not. If your staff have not been educated in cyber scams, how can they avoid being tricked? Remember - you don’t start a program of change by telling people they are the problem. You start it by telling them they are the solution!

Change Management: Get people along for the ride. Get them excited about what’s coming up, tell them how it will keep them and their family safer at home. Their money, their identity, their bank accounts, their kids online. What they apply at home, they will apply at work.

Perceptions: People think that IT criminals are hooded characters trying to hack firewalls. The reality is that largely they are normal people who are good at tricking people! It’s vital that staff understand that they are the primary target, at home and in the office.

Management Mindset: People will make mistakes, but you must nurture and encourage them. Hit them over the head with a book one time for making a mistake, and you’ve lost them. Praise them for asking for help or reporting being tricked, and they will continue to fight the fight, and you’ve effectively identified your weak spots and can help them to improve further.

Champions: Change should flow top down, so get management onboard, and attending training initiatives. Build a team of staff who can act as ‘go to’ resources for when people have questions. Live it, breathe it!

The most important thing however is just getting started. There are plenty of free resources available to at least get started on the maturity journey, and as you identify what works and doesn’t work for your company, you can tailor your program for better results over time.

Read full article via the Risk Management Bulletin. For more information, contact us below.