Enhancing Security Awareness: Strategies for a Safer Workplace

In August 2016 at the Security Awareness Summit in San Francisco, a telling video was presented, underscoring the importance of comprehensive security awareness. It featured an interview with an employee, a supposed expert in his field, in his office cubicle. Regrettably, his confidential usernames and passwords were visibly stuck on notes behind him, inadvertently exposed to the camera and the audience.

This anecdote isn’t shared to criticize the individual, but rather to emphasize that the essence of security awareness lies in understanding human behavior. Grasping this concept is a significant step towards fostering a more secure culture and organization.

As the director of the Security Awareness Training program at the SANS Institute, I have insights into the efforts of numerous organizations and a vast number of employees striving to fortify a more secure workforce and society. As National Cyber Security Awareness Month draws to a close, I’d like to offer two key strategies to integrate effective security awareness training into your organization and daily routine.

1. Simplify the Training
   Altering behavior is challenging, but security awareness training need not be complex. Often, training is overwhelming for many users due to its length, frequency, or dull content, leading to what’s known as cognitive overload. This happens when employees are inundated with information, causing them to forget most of it. A more effective approach is to provide concise, engaging, and relevant training that directly addresses key risks, thus avoiding cognitive overload.
2. Prioritize Top Risks
   Developing a mature security awareness program requires identifying and focusing on your primary human risks. Many organizations make the error of trying to cover too many topics, bombarding employees with various behaviors and messages, which again leads to cognitive overload.

Determining what not to include in training is often more difficult than choosing the content. Conducting a human risk assessment can be instrumental. From my experience with over a thousand clients and insights from this year’s Verizon Database Investigations Report, which indicated that over half of the breaches in 2015 were due to human factors, three major human risks have emerged:

• Phishing: Training should focus on recognizing phishing attacks, knowing how to respond, and feeling comfortable reporting them. While many programs start with phishing, it should not be the sole focus.
• Passwords: The key to password security is in usage behavior. Encouraging unique passwords, the use of passphrases and password managers, and advocating for two-step verification can significantly enhance security.
• Accidental Risks: Many security issues stem from simple mistakes, such as losing a mobile phone, inadvertently sharing sensitive data, or sending an email to the wrong recipient.

While these top three risks are a good starting point, it’s crucial to tailor risk management to your organization’s specific needs. Understand the human risks pertinent to your company and focus on managing them effectively.