Evolution and Automation of Corporate Security Awareness Program
Cyber-Ethical Health as Evolution of Corporate Security Awareness and Behavior
When building your information security program, you need to answer one simple question: are regular IT security measures enough to ensure the required levels of corporate security? The answer would be simple: no, they are not. If you want to manage corporate security effectively, you need to build personnel security and awareness as well. These processes are often neglected by businesses, as they take long time and effort, requiring a contribution of psychologists, ergonomists, graphical designers, copywriters, narrators and so on. At the same time, personnel security and awareness are a must according to the international security standards and regulations.
In general, the real root cause of any security incident is a human error or negligence, as any security incidents or harmful actions are only possible with the combination of two factors: a vulnerability and a threat. Any vulnerability is a defect in systems or processes, and the defects are always caused by someone’s mistakes or shortcomings.
That is why Security Awareness and Training program is as important as IT security, if not even more so. Unfortunately, many companies follow the sad tradition to entrust information security to technical specialists only, who may have zero understanding of human resources or psychology. This leads to mistreatment of security awareness issues as technical specialists don’t have the knowledge required to deal with them.
Security awareness evolves, and modern best practices consider wider concepts, adding personnel behavior. We believe that addressing security should happen in employees’ minds, i.e., earlier than the stage of controlling behavior. In analogy to the popular concept of Cyber Hygiene, which relates mainly to IT security, we suggest the concept of Cyber-Ethical Health and Healthcare, which relates to “personnel hardening” or “human firewalls”. Cyber-Ethical Health is as important as IT security to achieve and maintain proper security posture of your business.
Objectives of Security Awareness Process and Program
ISF Standard of Good Practice (SoGP), a useful framework for building a comprehensive Information Security Management System, has a dedicated description of security awareness. Let’s go through the key objectives, principles, and goals of security awareness program.
According to ISF, Security Awareness Program is the main strategy for the corporate security awareness.
Security Awareness process is interconnected with event and incident management, configuration management, secure software development and many other security-related processes.
The Primary Objectives of the Security Awareness Program are the following:
- Raising awareness of information risks and information security across the company.
- Minimizing information risks and reducing the frequency and magnitude of information security incidents across the company.
- Embedding positive security behavior of individuals across the company.
- Empowering individuals to make effective risk-based decisions (e.g. having a ‘stop and think’ attitude when confronted with an unfamiliar or complex business situation, identifying risks and weighing them before acting).
Three principles of Security Awareness strategy are your key factors to decreasing security incidents, and increasing trust and loyalty:
- A proper level of education
To focus on employees’ behavior, the Security Awareness Program and awareness controls use various motivation methods, as well as right moments and places to deliver company’s expectations to employees, e.g., adaptation or incident follow-ups.
Since most security incidents have internal causes, Security Awareness is one of the most cost-efficient proactive security measures.
Training Security Awareness
Infopulse always pays attention to security awareness. We constantly improve awareness methods, technologies, and processes. From the very start of the company’s history, internal security awareness was addressed through initial training and testing of newcomers, regular testing for all employees, and customized training sessions for specific problems.
Before 2013, the newcomers at Infopulse were required to undertake the security testing in the corporate training center. However, taking security workshops in classes was inconvenient for both employees and trainers. That is why we developed and implemented an internal online multimedia security course for the newcomers, considerably decreasing the workload of our trainers and employees’ time spent on training and tests. The new course voiced by professional narrators allows completing the security training online.
Pic 1. A screenshot from the internal security awareness testing course.
Testing is the best learning, as a person perceives new information better under stress. Our new employees can have unlimited testing attempts until they show decent results. This enhances training quality and increases automation of the security awareness training.
However, you can’t train security awareness only once and make people remember it forever.
Managing and Automating Security Awareness Processes
Security issues always pop up at the most unexpected moments. Over the course of time, people tend to forget security requirements and neglect security announcements. Employees should be always ready and refresh their knowledge on a regular basis. Since more than 1300 specialists work at Infopulse and many of them work for many years, we needed to come up with a different approach to improving their awareness as well.
In October 2016, we finalized our regular automated testing system. This system covers more topics and is more complex than the security testing system for the newcomers. The scoring system is different as testing questions can contain more than one correct answer. Employees have five attempts, with more attempts to be given manually by the awareness manager. The questions and answers are reviewed and updated periodically.
The core features of the System are email notifications and the MS SharePoint list that helps to track testing plans, states, and results.
You may find the short description of our testing management process below. The process steps are automated:
- Detecting employees who need to undergo the testing
- Enlisting employees to the SharePoint list
- Defining and assigning the due date for each employee
- Notifying each employee of the due date to take the testing
- Keeping a record of employees who successfully passed the testing
- Reminding about testing and due date
- Detecting and tracking employees, who missed the testing or didn’t pass it properly
- Notifying the direct managers about employees with poor results
- Escalating to the Supervisors/Group Leaders about direct managers and about employees with poor results
Successful implementation of the testing management process allows us to perform a minimum of manual operations, e.g., system maintenance, mailing with tested persons and their managers, processing the list of those who failed after all escalations, processing of exclusions, tracking process coverage and testing results.
The implemented testing systems allowed us to collect the statistics and analyze all process parameters, including the real security awareness of company’s personnel (both newcomers and existing employees). This helps us to see the distribution of successful testing results over time for both the initial and regular testing. We can collect statistics from all departments, encouraging department managers to improve their indicators. The main motivation for our employees is understanding of the importance of information security for both our company and our customers. Our employees take personal responsibility for the security and for knowing security rules and practices. Finally, no one wants to lag behind when it comes to comparison with other departments.
Pic 2. Internal security awareness testing course and its results.
To sum it up, the results of the project were impressive. With the automatic reminders and escalations and minimal manual efforts from our side, most of our employees showed almost 100% successful results.
Recommendations to Building Comprehensive Security Awareness Program
Although automated training and testing are one of the most effective awareness controls, we recommend running various awareness procedures on a regular basis:
- Signing the commitments (security policy, corporate ethical policy, non-disclosure agreements, personal data protection, copyright disclaimers, and agreements, etc.)
- Security warnings during the job interview
- Addressing security in job responsibilities and task descriptions
- Instructing the employees’ managers
- Security training and testing during the adaptation stage
- Regular security training and testing based on internal security policies
- Customized security training and testing for different user profiles (software developers, marketing, and sales, accountants, etc.)
- Customized security training and questionnaire on specific topics
- On-demand security training and testing (e.g., incident follow-ups)
- Security training and testing management system with automated reminders and notifications
- Security blog
- Security mailings (announcements, vulnerability warnings)
- Handouts (booklets, brochures)
- Printed posters and banners
- Security research communities and mailings
- Project-specific security training and testing
- Electronic posters and banners (i.e., substitution of web ad banners)
- Other activities (polls, games, competitions, etc.)
Our Security Awareness Processes showed good results and continue improving and evolving. Since we steadily improve our organization and quality of our training and tests, the performance of our Security Awareness Processes is increasing. Training and testing coverage and test results of the employees were improved. Overall, Infopulse constantly develops its security awareness and behavior programs and helps its customers to improve employees’ awareness, responsibility, and motivation to reduce security incidents and risks.
We’d recommend any company or organization to develop a security awareness program as a key component of your company’s security. Cyber-Ethical Healthcare is really important for your company’s success!