“Organisations need to think beyond IT when planning IT security awareness training, and tackle it from the bottom up, as well as the top down,” she told Computer Weekly.
It is essential to examine the corporate culture to understand the formal and informal communication channels, she said, and to find out who the movers and the shakers are in the organisation.
This will help identify the best way of putting security messages across and who needs to be involved and onside to ensure the programme is effective.
Raising security awareness across the organisation
It is also important to have the support of company executives, said Peeler, who took part in a panel discussion on information security training at the (ISC)² Security Congress in Philadelphia.
The executive level can sometimes be the biggest problem, she said, because their actions, intentional or unintentional, can have a greater impact and can be more difficult to uncover.
“Start with the CFO, who will know the potential cost of a breach, and the compliance team, which will know the potential liabilities,” she said.
In boosting awareness, Peeler said information security professionals need to stretch their leadership skills across the organisation and form partnerships at all levels.
Anyone putting together an IT security awareness programme should use as many of the ways people learn as possible and plan to reinforce the messages continually to ensure IT security becomes part of the way the organisation operates, said Peeler.
These regular reminders could be in the form of quizzes or email messages. One company, for example, sent a fake phishing email to staff and then reported on how many recipients clicked on the risky link.
More news from the 2012 (ISC)2 Security Congress
- Big business not learning from cyber attacks, says researcher
- New malware age demands new security approach, says threat researcher
- (ISC)2 launches programme to attract young security professionals
- Government should stop reinventing the IT security wheel, says (ISC)2
- Skills shortage means no unemployment in IT security, says (ISC)2
- Two UK students chosen for (ISC)² IT security scholarships
- CISOs key to transition to cloud, says (ISC)2
Those who clicked on the link also received an email telling them their actions could have exposed the company to a cyber attack and were given counseling.
Be open about data breaches
“Above all, awareness programmes should use real-world examples that are relevant to the jobs staff do,” said Peeler. “Walk them through specific examples. Tell machine operators how they could expose company IP inadvertently and how the loss of that IP could affect the business.”
Organisations should also consider telling their staff about any data breaches that occur or attempted cyber attacks that have been blocked. “Even board members are largely unaware that their organisations are fending off literally thousands of attacks a day,” said Peeler.
However, she said it important not to create a bullying culture, and that naming and shaming tactics should be avoided. “If anyone is dismissed or disciplined for failing to adhere to IT security policy, word will get around and that should be enough of an incentive to do the right thing.”
It is also important to ensure that policies are fair, because if they are unfair, or unfairly and unevenly applied, that could cause resentment and unhappiness, said Peeler, which could encourage people to circumvent them, thereby increasing the risk of data breaches.
Another important thing to remember is that with younger generations moving into the workforce, it is not only the people working in IT and IT-related departments that have computer skills. “Therefore, it is important to make it clear that individuals should not access systems without authorisation just because they have the skills to circumvent controls,” said Peeler.
Methods of educating technology users about security
In putting together a security awareness programme, information security professionals should work with the members of the human resources department to make best use of training and development expertise.
“Every company, corporate culture and management structure is different, which means any IT security awareness programme will have to be custom made, so in addition to talking to people at all levels internally, IT professionals should talk to their peers to find out what is working in other organisations and adapt that for use in their own,” said Peeler.
To help foster and entrench an information security culture, the (ISC)² Foundation is working to drive deeper into education systems around the world with programmes such as Safe and Secure Online, which is designed for seven to 14 year olds.
The (ISC)² Foundation is also working to drive curriculum development at all levels of education and is looking at developing IT security courses for non-security majors at universities.
“We need to think about more robust information security awareness training and to start from day one,” said Peeler.