We’ve said it once and we’ll say it again: an organization is only as secure as its weakest link. Most, if not all, of your employees are online and on their mobile devices in your workplace, whether you have a BYOD policy in place or not. Developers release software with millions of lines of code, your management discuss and share privileged information, and the rest of the organization opens emails regardless of whether they know the sender or not. Cybersecurity awareness is critical for your organization.
In organizations big and small, the possibilities for security holes and blips are endless; teaching employees about the risks and how to do their work securely is the only true way to minimize the chance of a breach.
If you’re in charge of security, be it a CISO, CSO, security manager, or otherwise, securing software is only part of the job. It’s also crucial to secure your employees through training, awareness, and a secure work environment. To do so, you need to understand how each group is put at risk, and how to best keep the different groups aware and informed. Each group, from executive management, to developers, to general employees, has its own understanding of security and it’s important you to speak to them on their level. Let’s take a look at some of the best ways to increase cybersecurity awareness among the different groups in your organization.
Cybersecurity Awareness for Management
Cybersecurity awareness has to start at the top of the pyramid. The C-Suite needs to be well-educated on risks not only to the organization as a whole, but also informed on how they can put the organization at risk if they’re not careful themselves. Executives are some of the most sought after potential victims of hackers, due in main part to their proximity to sensitive information that can be stolen or held over their heads for a ransom.
Moreover, management teams have the greatest influence over the rest of the organization, and their endorsement is critical to the success of any initiative – including your cybersecurity awareness program. A SANS Institute survey found that the biggest barrier to implementing cybersecurity awareness programs was a lack of management funding and buy-in. It’s clear that there is a disconnect between security teams and management, and your cybersecurity awareness program needs to jump that hurdle in order to be successful.
Security is a business driver when done right, and a huge business risk with potentially major impact when it fails: It’s up to your team to ensure that management is both aware of your risks and supportive of your efforts.
Tips for Driving Higher Cybersecurity Awareness Among Management:
- Gain buy-in by mapping security initiatives back to business objectives and explaining security in ways that speak to the business
- Set up weekly discussions where you present your current security initiatives, recent news regarding breaches, and answer any questions they have regarding security in the organization
- Use audit findings along with industry benchmarks such as BSIMM to show management where your organization falls in terms of security maturity and how you plan to improve, given their support
- Keep management aware of spear-phishing, ransomware and other hacking campaigns that aim for executives and teach how to avoid them
Cybersecurity Awareness for Developers
Developers have a different yet highly influential role in helping make and keep an organization secure, as the code they write will be combed through by hackers to find holes. And find them, they do: 75% of vulnerabilities are discovered within the application layer. No team other than yours is as critical to the security of your systems, so for developers, training in secure coding is the best way to raise their cybersecurity awareness levels.
By emphasizing the critical nature of secure coding, with the backing and funding support of management, developers will better understand their role in creating secure code and the important job they have in keeping the organization safe.
Tips for Driving Higher Cybersecurity Awareness Among Developers:
- Teach developers to look at their code through attackers eyes, using specific snippets from your own apps
- Hold remediation sessions with both security and developers where security members can explain in-depth about found vulnerabilities and gain a better sense of what developers know in terms of secure coding
- Find ways to make secure coding easier on developers, like integrating security testing and resources into their workflow and early in the SDLC
- Seek feedback from developers on how your security policies fit into their workflow and find ways to improve
Cybersecurity Awareness for General Employees:
Everyone at your organization needs to understand that the security of the whole organization depends on each and every employee. It takes one weak password, one answered phishing email, or a stolen, unlocked phone to take down the organization – and you need to make sure your employees are educated enough to know better. So many breaches could have been prevented with just an ounce more of security awareness and training, and only with training can employee breaches be stopped in the future.
It’s important to understand that security is not top of mind for the general employee, and looking out for that one malicious email or social media post among hundreds is in fact difficult, especially if they don’t know what to look for and are under pressure for other reasons. Use this information as a starting point, and begin with basic security awareness training that may seem obvious to you and your team, but in fact, is not obvious at all.
Tips for Driving Higher Cybersecurity Awareness Among All Employees:
- Seek out security champions, not only on the development team, but throughout the organization – it pays to have advocates spread throughout to ensure security messages are both spread and adhered to
- Use real examples of breaches accomplished by social engineering, phishing, and other common attacks aimed at non-security employees
- Teach employees about the risks of posting personal information online and how it can be used against them by hackers