|It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.|
That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.
“If your security awareness program involves getting excited about sending ‘don’t click on links’ emails in October, you’re doing it wrong,” he said. “The biggest problem I have with the term security awareness is ‘security awareness.’ That’s a sub-section of the problem. The bigger need is about building a culture.”
That means a culture that makes security personal but relevant. It’s about making it relatable to individuals based on their company roles.
Reed gave the example of a client who got a lot of pushbacks from executives who didn’t want “all these additional security controls – yet another endpoint, another browser plug-in.”
The remedy: Treat them like VIPs.
“It’s about saying, in this case, ‘we want to protect YOU and your personal brand, Mr. Executive.’ Let them see you building a boutique security program just for them,” Reed said.
It’s also about helping employees understand the consequences of their actions. Do they know the boundaries of what they’re supposed to be doing day in and day out? What sorts of rights and privileges is the company giving new partners? Are they starting off on the wrong foot from the get-go?
The days of having stale, computer-based training modules is no longer helpful – if it ever was. Newer ways need to be focused around:
· Activities and communication that’s based more on job-role
· Using humor to relate to people, to show you understand where they’re coming from.
To the last point, humor can include using the things that happen during calls: dogs barking, kids pulling your leg to go do homework – relatable things.
“We should work that into the training where appropriate,” Reed said.
The need for security culture inside companies was illustrated by the results of Proofpoint’s “2021 State of the Phish Report” – which found that 74% of organizations experienced a “successful” phishing attack in 2020. These attacks resulted in data loss, account compromise, ransomware and other malware infections, and financial loss.
While the report noted a small improvement in user identification of threats, much more education is needed to ensure users don’t fall prey to the ever-increasing frequency and sophistication of social engineering attacks.
Check out the full episode, sponsored by Proofpoint, and visit https://securityweekly.com/proofpoint to learn more about the company!