Have you ever wondered how to engage users in cybersecurity efforts? Cybersecurity is a vital part of an organization’s operations and competitiveness. Neglecting it can, at worst, temporarily interrupt operations or even paralyze them permanently. Human error is the biggest cause of security incidents. But how can organizations improve their resilience in cybersecurity regarding users, and how can they be engaged in it?
Making Training Part of Everyday Life
In some organizations, cybersecurity training is still handled by providing a bundle of security guidelines along with other onboarding materials for reading during the induction process, and the matter may not have been revisited in any way since. Some employees may have several years passed since they last received training in cybersecurity. The guidelines may not have been reviewed since the creation of the first published version and thus contain outdated information.
Today, there are many different cybersecurity training systems available for organizations. The most popular are training systems built around simulated phishing messages, which often include short, continuous micro-training on various aspects of cybersecurity in addition to email phishing simulation messages. The core operating principle of these systems is regular, continuous training, so that things are not forgotten and users’ awareness is maintained.
Matt Linton from Google wrote a blog post some time ago that also made news here in Finland, where he criticized the usefulness of email phishing message simulations. I agree with him that training where simulated phishing messages are sent to users without reporting features is not an effective method. When a user clicks on a link in a simulation message, they receive a cybersecurity training package and disapproval from the IT department. Not a very optimal way to engage users. Those systems where reporting features are available and reporting is rewarded engage users in joint cybersecurity efforts – whether it’s about practice simulations or real phishing messages.
What About the Organization's Own Cybersecurity Guidelines?
Often, the situation is that cybersecurity training materials are located somewhere in SharePoint file libraries, and there is no tracking of which users have acknowledged reading the materials and when it happened. Also, almost without exception, it is not possible to import the organization’s own internal training materials into the aforementioned phishing message training systems.
The Finnish software company Agendium has an excellent solution for this. Their product called Digiturvamalli (Digital Security Model) is a cybersecurity management system that can comprehensively manage cybersecurity in organizations. One aspect of the system is the maintenance, publication, and monitoring of cybersecurity guidelines for the organization’s users. With the system, guidelines stay up-to-date and can be brought as tasks for users to acknowledge, for example, through Microsoft Teams.
What Constitutes Good Cybersecurity Practices from the Users' Perspective in an Organization?
- Management Commitment
- The implementation of cybersecurity culture must come from management
- Without genuine management commitment to cybersecurity, it is very difficult to create a successful cybersecurity culture in the organization
- Cybersecurity Strategy
- Identify what external and internal requirements our organization faces
- Implement cybersecurity systematically, for example, by following a framework such as ISO27001, even if it’s not specifically required of us
- Clear explanations and review for users on why things are done and how they affect the organization and its employees
- Implement a Cybersecurity Management System
- Clarifies and helps the organization in systematic cybersecurity development
- Continuous Phishing Message and Cybersecurity Micro-training for Users
- Helps users identify and report genuine phishing messages
- Brings continuous awareness to users regarding cybersecurity
- Engage the organization’s employees in joint efforts to improve cybersecurity
- Make Reporting Cybersecurity Observations as Easy as Possible for Users
- Reward, Don’t Punish for Participation!
It’s a cliché, but true. An organization’s level of cybersecurity is only as strong as its weakest link. And almost without exception, the biggest risk is our human behavior. By engaging users in joint cybersecurity efforts, we significantly reduce this risk.
At Above IT, we help organizations create a successful cybersecurity culture. Contact us below and let’s talk more!