This blog is co-written by Aimee Laycock and Joanna Huisman
When it comes to fostering a more secure environment it’s not a question of wanting to…it’s more like YOU HAVE TO. Understanding that humans are highly unpredictable, more distracted than ever and at a higher rate, taking in mere fractions of information they once had the patience to consume, you can’t just rely on traditional, annual, check-the-box security awareness or compliance training to get the job done. Social engineering attacks are not going away, they are multiplying in volume.
Most humans have a strong desire to do the right thing, but if they are led down the path of check-the-box training, that’s what they’ll do…and probably the only thing they’ll do. Security awareness compliance needs to be role-modeled and communicated from the top down as the expectation for all. All employees have access to data, systems, and people. Without the right knowledge on how to engage with these, they could be putting the company in harm’s way.
The Title III Americans with Disabilities Act (ADA) requires companies to adhere with 61 guidelines to operate their websites. Major healthcare companies, broadcast television networks, streaming services and even celebrities have been sued because of their lack of, or limited adherence with, compliance. With regards to security awareness, whether you are in healthcare and required to follow HIIPA standards, or in the EU and guided by GDPR requirements, you will find employee security awareness runs a critical thread throughout both.
Compliance is not just about the existence of an adequate document, complied to by the employees, but also involves processes of communication, cooperation and coordination so that the policies are adequately implemented and adhered to at all organizational levels. Adoption of information security compliance in organizations involves:
(a) Implementation of effective and balanced information security measures and mechanisms.
(b) Compliance with legal and security requirements and expectations of organizations.
(c) Maintaining both employees’ and stakeholders’ confidence and trust in the security.
Having a well-documented set of policies and procedures is not, by itself, good enough to deter information security breaches.
So, what can you do now?
- Communicate more effectively: Improve the quality of communication channels to discuss security-related issues and report incidents.
- Make policies actionable: Increase the understanding, knowledge and awareness of the policies themselves, including procedures to implement them into daily work tasks and activities.
- Repeat - People are critical: Strengthen the understanding of how important their own role is as a critical factor in sustaining or endangering the security of the organization.
- Attitude is everything: Support the attitudes towards the importance of security and being more aware.
- Continuous Training and Testing: Security awareness training that includes frequent simulated social engineering attacks is a provable method for reducing an employee’s susceptibility to an attack. Don’t believe that? Here’s the data.
Bad guys don’t care how they get into your systems but be certain that finding the weakest link in your human firewall to click on a phishing attack is not as challenging as you may think. Setting the right policies and then spending a few minutes a month reinforcing them will save you lots of time on the back end cleaning up a big, costly, public mess you never saw coming.