No matter how much technology you acquire or how many specific technical controls you install, when it comes to your information security awareness program, the most important control to tune within your environment is your people.
I’m not telling you anything new here. But as we move into a third year of employees either working regularly from home or coming back into an environment which may be dramatically reconfigured and is staffed differently than before (the office), we are not going back to the way things were in “the before times”.
It’s important that your current security awareness efforts are appropriate for how your employees work today, not how they worked two years ago.
Here are four employee personas for you to consider and recognize as you review and update your security awareness program:
Employees as first-line defenders. The strongest security cultures are those where each employee fully understands that they are on the front lines. They are extended members of and the early warning system for your core team in the SOC.
Make it easy for them to express concern about something they’ve seen or experienced. It’s the same mindset of the “If you see something, say something” mantra we all see when we take public transportation. Don’t settle for developing and publishing an overly complicated policy which details the many steps the employee should follow if they believe there is suspicious activity. There’s often too much friction.
Think instead about how that concerned employee can quickly reach your information security team directly via a phone call and via chat. Providing multiple channels to ask for help increases the chances that one of them will be used. An employee who finds it too hard to fill out your helpdesk form to open a ticket may be an employee who decides it’s just not worth it.
Employees as people. And people are not machines. We get distracted. We get tired. We make mistakes. We want to do the right thing for our organization, and we need to get our job done, but sometimes it can seem like both goals are in opposition to one another.
When your training curriculum is presented like most other trainings employees consume – sitting through a multiple-choice exercise, trying to hit the minimum passing score to just to get it out of the way – you run the risk of your audience tuning out.
Consider a continuous “drip” approach versus a once-a-year “hammer” approach. One way to accomplish this is to wrap additional content around the main curriculum/test each year – in some organizations, the wrapper might even replace the single test.
One example: a quarterly email which directly connects a reported incident elsewhere in the industry to the employee behavior which led to the incident.
Taking a more overt approach where you explicitly nudge employees during their day-to-day work is another alternative: you may have technology in place which can monitor email during composition and insert a “are you sure?” prompt when an email is going outside the organization to a known-risky domain, or if it contains an attachment with sensitive information.
Employees as parents. Employees with families have found the last two years especially challenging. They didn’t sign up to do their own tech support at home. They didn’t sign up to enforce your corporate-grade security rules within their home environment. And they didn’t sign up for sometimes unusual working hours and significantly increased stress when trying to be a worker and a parent during a pandemic, when those two roles are sitting behind the very same laptop on the dining room table.
Help them, show them how to secure their work devices and their home devices. Don’t be afraid to explain the “why” along with the “how.”
As an example, maybe you sent out explicit guidance about home networks: “Make sure your Wi-Fi router’s password is complex.” Good advice, to be sure. But from the employee’s perspective, what exactly is a complex password? Why is it that a complex password does a better job protecting an information asset versus a non-complex password? Where can a non-technical employee check to see what the current Wi-Fi password is? Is there a difference between an administrative password and the password they use to join a device to their Wi-Fi network? How do they recognize the distinction between their Wi-Fi router and their cable modem? Issue your guidance but take the time and the care to explain.
Employees as threats. We know that there are two primary types of threats from our employee population: accidental, and intentional. Your security awareness content should account for these two audiences.
Trainings should include scenarios involving both external and internal threat actors, scenarios which are more than “don’t do this” but “if you see this, here’s what to do.” This can also be a good opportunity to explain exactly why your organization reserves the right to monitor employees. And even in environments where you may be less concerned about insider risk, ensure that your training also includes a third-party angle, especially for that subset of your team who works with external partners.
There will always be employees who just don’t care, who won’t care, and can’t be bothered to pay attention to your training curriculum. Your job is to reach as much of your audience as you can, and to recognize that outliers will always exist.
Remember: work is not a location, but an outcome. Now is the right time to review your existing security awareness program to confirm it respects the new reality your remote employees are experiencing every day.