At CISO Platform Annual Summit 2017, we had a panel discussion on the topic of Innovative approaches for cyber security awareness, including industry stalwart like Shaik Javeed Ahmed(Head- Cyber security, AVP. , Virtusa Polaris), Nitin Gaur (Director-Information Security, Omega Healthcare Management Services), Ananth Kumar M.S.( VP IT Sec & CISO, Janalakshmi Financial Services), Mrs. Maha Ganapathy(VP, QOS Technologies), and Prof. Dr. M. Babu(IBA)
One of the greatest threats to information security could actually come from within your company or organization. Inside ‘attacks’ have been noted to be some of the most dangerous since these people are already quite familiar with the infrastructure. It is not always disgruntled workers and corporate spies who are a threat. Often, it is the nonmalicious, uninformed employee (CTG, 2008). It’s all well and good implementing the latest and greatest in security technology to protect an organisation from cyber threats, but will the most vulnerable companies always be those that fail to create a culture of security?
Key Learning - Innovative approaches for cyber security awareness
From the discussion, some of the innovative approaches to spread cyber security awareness are as following:
- Customizing the awareness to different audience
- One size does not fit all in awareness
- It is crucial to understand the background of audience and make necessary changes to message (ex: for Normal users talk about how day to day security matter whether they are in office or outside)
- Regulator excepts Banks / financial institutions to continuously send out security tips / message
- Awareness is journey and it will only improve as we undergo generational change
- Reward and Reprimand – should be effectively used
- Employees are last line of defence: We felt that the employees in ours organisation are on the front lines of our business. But from a cyber-security perspective, end users or employees are last line of defence.. They represent the final wall against a cyber-attack that has penetrated the other barriers we have put in place; they are the decision point for malicious emails that sneak through your filters and can become an victim of phishing and spam email. Security awareness training programs can help us to strengthen last layer of defence.
- Develop customized training program considering the context of business , threats to business and include past incidents as an example.
- Conduct organization wide learning assessment at least twice in a year. Put a metrics in place to measure their learnings and errors. An end user’s mistake should be looked at as a learning opportunity. Whether the mistake is noted during a phishing test (i.e., a simulated attack) or as the result of a successful attack from the wild, training should factor into the follow-up. And the more targeted the education, the better.
- Conduct a real simulation test for technical team by forming Red team , blue team and purple team to strengthen your incident detection and response mechanism.
- Conduct table top exercise with top management by having scenarios and capture the exercise for correction and learning.
- Nowadays cyber security awareness not limited to office staff, even our all families members should have enough awareness considering digitalisation, increasing usage of social media and mobile apps, upcoming IOT threats etc.
How the West handles awareness and training:
- In the west, organizations have come to an understanding that either they have been hacked and are not aware or they can be hacked any time.
- Processes are put in place, but bigger focus is given to awareness, as humans are the weakest link in any process.
- Organizations are using innovative modes like sending phishing emails to employees during festival seasons – around Thanksgiving and Christmas, when online shopping is at its peak, to check effectiveness of the awareness training.
- Organizations are also looking at the personal awareness of employees to help them safeguard their information at a personal level.
- Policies are created on par to satisfy business needs.
- India is also picking up pace in the right direction and we need to adopt innovative methodologies to train and check the efficiency of these training programs.
(Use FireCompass discovery and comparison tool to shorten your vendor assessment cycle by months. Sign Up for FREE)