Security Awareness Success

3 Pillars for Security Awareness Success


“Are your staff going to be your greatest risk, or your greatest assets?”

That was the question posed by Damian Grace, General Manager of Phriendly Phishing – the comprehensive email security awareness program developed by Shearwater Solutions.

The modus operandi of those intent on harming your organisation has changed.

With the focus shifting away from hacking into network or web applications, principally due to significant advances in cybersecurity over recent years, human error is now the soft underbelly of many organisations.

Recently we’ve witnessed a marked uptick in email phishing, ransomware and malware, all designed to trick your staff into opening the wrong attachment or clicking the wrong link. Never have people been so under attack as they are now, with cyber-attacks ramping up across the board.

All it takes is one mistake and hackers, with the intent of stealing your confidential data assets, will have compromised your computer systems.

The impact on any organisation can be devastating – which is why every organisation requires a security awareness culture.

Only by inculcating your staff with a deep understanding of the threat profiles your organisation faces, and crucially, the role they need to play in mitigating those threats, will you begin to ensure your protection.


Change starts from the TOP

As an IT Manager, CTO or CISO, it’s imperative you persuade upper management to embrace a change in corporate culture. To achieve that, you need to understand what it takes to become an influencer within your organisation.

We know change is never easy. Especially the sort of long-lasting change that’s required to cultivate a security awareness culture. Grace likens it to pushing a big rock. At first the challenge seems insurmountable. But once you begin pushing and momentum builds, the task becomes easier.

While many stakeholders may initially be reluctant to embrace the sort of behavioural adjustment required to achieve a more robust cybersecurity posture, the task will be made easier if everyone involved understands the context.

Your entire staff, from top to bottom, needs to understand the reasoning behind the changes you’re seeking to implement and why it’s of critical importance to the organisation.

That’s why your most important initial task is to get upper management embracing your initiatives and leading the way.


Assess your current Learning Culture

Begin with a frank assessment of the learning culture currently existing in your organisation.

Even before commencing, you can determine how successful your attempts at cultural change will be based on existing attitudes. Our experience with Phriendly Phishing shows that non-mandatory training completion rates vary dramatically based on the learning culture that exists within an organisation.

TYPICAL NON-MANDATORY COMPLETION RATES BY LEARNING CULTURE

Learning Culture Completion Rate
Low or No Interest 40%
Indifferent 55-70%
Highly Engaged 80% +

If there is little to no interest in learning and acquiring new skills, unfortunately your task will be challenging. Luckily, among respondents to our poll, only 4% reported having a “no interest” culture.

By contrast, if your staff tends to be highly engaged and eager to expand their knowledge and embrace new strategies, your task will be much easier. With 27% of our poll respondents reporting a highly engaged workforce, that’s definitely good news.

However, by far the largest cohort of our poll respondents, in excess of two thirds, report an indifferent culture when it comes to change. This indicates the workforce will embrace change if required, but don’t seek it out otherwise. Whilst you will experience challenges changing the culture in such an organisation, you shouldn’t expect to receive too much intransigence or resistance. With a bit of effort, you should be able to achieve the results you want.

3 Pillars for Security Awareness Success Poll01

Whether your workplace shows no interest, is highly engaged or indifferent to learning, none of this is set in stone. With the right leadership, spearheaded by senior management, everything can change for the better.


Three Pillars to Create Strong Foundational Change

When considering how you can best enhance cybersecurity awareness in your organisation, it helps to focus on the following three pillars to ensure the new culture you’re cultivating is built on strong foundations:

Pillar 1: LEAD
Be a route or means of access to a particular place, or in a particular direction.

Real change starts from the top.

While you understand the importance of cultural change in reducing the organisation’s exposure to risk, upper management may not be sufficiently technologically literate to grasp the significance of what you’re proposing. However, it is vital to get their full support if your initiative is to succeed. This is to ensure your initiatives aren’t stymied by those within the organisation who may be resistant to change.

Following these 4 steps, you’ll stand a good chance of successfully persuading upper management of the necessity of your initiatives:

  1. Drive awareness by providing evidence to senior executives of the impact an organisation’s culture has on its bottom line.
  2. Demonstrate the impact your changes will have on the organisation by focusing on outcomes. By learning to translate “IT-speak” into “business-speak”, you’ll be able to align your initiatives with business metrics in a way that will be highly persuasive to upper management.
    Emphasise the costs of inaction. Ransomware attacks have the capacity to shut down business for multiple days, costing millions in lost data.
  3. Push to get agreement on moving forward with your change agenda.
  4. It’s vital to get firm commitments, preferably in writing.

While this process of persuasion won’t necessarily be easy, it is absolutely vital you lead the internal conversations within your organisation to get the commitment and support from upper management to succeed.

Engage by winning hearts and minds.

Traditional training methods are notoriously ineffective. Periodically pushing out highly technical information is not the way to engage people. That’s why it’s crucial you develop an effective plan that encourages people to embrace the project.

The training modules you use need to interests learners and be enjoyable. Importantly, you want to make sure people feel like winners.

Don’t make training too complex. Remember, every person has a unique comfort zone. Your goal should be to nudge them slightly beyond their comfort zone for long enough to enable them to absorb a new concept. This concept will then become part of their new, expanded comfort zone.

Through gradual, incremental training, you’ll achieve long-term cultural change.

This is what we’ve achieved with Phriendly Phishing. While we use challenging emails for our initial risk assessments, when it comes to raising awareness and achieving behavioural change, we use phishing emails that are more easily identifiable. This encourages people to learn, grow and build confidence. It makes them feel like winners.

We’ve also found that when testing behaviour, it’s best to send test emails randomly. There’s little point sending out test emails according to a pre-determined cadence, when the individual knows they’re being tested. By randomising your testing, you’ll gain a clearer insight into the effectiveness of your training.

Some other factors to consider when fostering engagement:

  • Whenever possible, focus on the personal benefits they will experience from the training. When it comes to email security, the awareness they develop through the training will assist them and their families stay safe online.
  • Ensure you map out training modules to align with your goals and communicate your timelines with participants. Long-lasting change may require a learning path over multiple years.

3 Pillars for Security Awareness Success Poll02

 

Pillar 3: CHANGE
An act or process through which something becomes different.

Long-lasting change requires ongoing training.

Don’t try to effect substantial cultural change overnight. It will take time. Start with small, bite-sized chunks, then progressively educate your staff about what changes they should make.

Crucially, staff need to understand the reasons behind the push for change.

This is why context is critical. When staff understand why they are being asked to change, and why it’s important for the organisation, you’ll generally achieve greater success.

Without this context and understanding, staff will be more likely to demonstrate resistance and your attempts to achieve cultural change will unlikely succeed.

We recommend focusing on the three R’s:

  • Repeat – Maintain ongoing, consistent and gradual approaches to achieving change.
  • Repair – Always seek to identify areas of weakness, where change hasn’t been achieved, and focus on those areas for improvement.
  • Report – Constantly monitor your progress and report back to stakeholders regularly.

In our experience, ongoing computer-based training (CBT) is the best model to follow. In the poll we conducted, almost half of respondents stated their organisations implement CBT strategies. A further 32% implement ad hoc training initiatives. While certainly this is a great start, it’s important to bear in mind that not all CBT is created equal. To be successful, CBT strategies need to be engaging and tailored to the individual requirements of different staff members.

3 Pillars for Security Awareness Success Poll03

 


Follow the Phriendly Phishing Model to Achieve Cultural Change

By implementing these three pillars, Phriendly Phishing is successfully changing the culture in many organisations surrounding email security awareness.

Phriendly Phishing’s engaging and interactive modules gradually progress learners through various pathways tailored to their individual levels of awareness. With incremental learning delivered this way, staff gradually build up their understanding of the threats posed by email phishing, and how they can play a crucial role in identifying such threats.

Importantly, staff are also made aware of the ways in which email security awareness can benefit them personally. The lessons learned are equally relevant for personal email. In this way, cultural change is more successful because it can personally benefit each staff member, as well as their families.

Ready to begin implementing cultural change in your organisation?
CLICK HERE to watch our webinar for more tips on how you can succeed.