Innovative ways for CISOs to raise cyber security awareness

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computing.co.uk/ctg/analysis/2343499/innovative-ways-for-cisos-to-raise-cyber-security-awareness

Cyber security is high on the agenda of many businesses, but implementing a
strategy successfully involves more than technology and tools. People are
equally important, and they need to buy-in to the strategy too.

However, while security professionals may find phishing scams easy to
ignore, there are others within the business that may not care to
understand the difference between a phishing email and a legitimate one.

But despite many of the CISOs at Infosecurity Europe 2014 believing that
awareness of cyber issues have grown within the workplace, Andy Jones, CISO
at Maersk Line, believes that the opposite is true.

"How long have we been doing awareness, and we keep expecting a different
result?" he states.

But perhaps a different approach is required, as David Cass, CISO of
information solutions provider Elsevier, tells delegates at the conference.

"No one wants to sit through 45 minutes of security awareness training," he
says,  suggesting that companies have to create awareness of security
issues in a short and easily digested way.

The best way, Channel 4 CISO Brian Brackenborough believes, is by speaking
to employees about consumer security protection, in the expectation that
this will make them think about the same problems at work.

"We try speaking to them about antivirus and how they use it at home, and
once they associate themselves with it, they start thinking about it at
work," he says.

Insurance firm AXA UK has lunchtime drop-in sessions for employees who want
to learn more about protecting their own devices.

"We've had lunchtime drop-in sessions where we're not talking about
corporate security but consumer protection, and people want to hear about
this. If you're talking about taking steps to protect the consumer, it is
very similar to some of the steps in protecting corporate PCs," says the
firm's head of security, Michael Colao.

McAfee CTO EMEA Raj Samani states that there is a "real appetite" for
organisations to deploy this method, but warned that educating employees
demands constant attention.

"Using one approach will likely result in a drop off in interest, therefore
organisations should connect with employees over their use of technology
within the home, but also consider alternative methods," he says.

One such suggestion, says Bill Walker, technical director at QA Training,
is creating an app that appears to shut down employees' machines, then
informs them that they have just been attacked and that all of their emails
and data have been lost.

"When you then tell them that this was a drill, they would sit up and
listen. It's one of those things that people only take seriously when they
see the consequences directly," he says.

The problem is that many employees have an 'it will never happen to me, so
I'm not worried' attitude, he adds.

Indeed, the Home Retail Group, owner of retailers Homebase and Argos, used
a different technique to raise awareness of phishing emails, and how to
avoid them.

"We got a guy dressed up as a gnome and went out across the office and
handed out pamphlets and asked the employees to come to us if they had any
questions. After a couple of weeks we had been very successful in ensuring
that phishing emails were no longer an issue," Home Retail Group's head of
information security, Lee Barney, explains.

Techniques such as this may be beneficial to the business at the simplest
level, but perhaps of greater importance is to maintain a constant dialogue
between employees and security teams to ensure that security protocols
aren't hampering productivity.

"What we don't do as security professionals is to truly go out and ask the
end user what's acceptable and what's not," Nike VP and CISO Bill Dennings
emphasises.

But once the security team does communicate with the end user, and
personalises security for them, what should organisations do next?

Training is one option and, according to Samani, there are various options
businesses can pursue, but the most important thing is to measure the
success of any training.

"To give an example, where call centres are used the organisation may want
to consider tiger testing to determine whether the education method being
used is working," he says.

QA's Walker suggests that a short video session could be beneficial, as
long as it is exciting and informative.

"A short video session can be great if it really resonates with them. They
need to go away thinking 'I must do things differently to protect myself –
I now understand the risk to me and my company – I always thought cyber
security was just an IT issue.'"

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!