Maksim Kabakou - Fotolia

Security Think Tank: Use the work environment to educate on cyber security

What are the best security controls to ensure a safe working environment where employees do not have the unfair pressure of being the first line of cyber defence?

Today, organisations require positive, collaborative and engaging solutions for employees to be an effective first line of cyber defence. Sejal Pattni, information security education and awareness lead at UBS, with whom I work closely, says the best types of security controls not only focus on tools, but also equip employees with the right knowledge and escalation processes.

She believes we cannot expect staff to spot cyber risks diligently and consistently without the relevant training, and we cannot expect them to keep information safe without the right tools to help them.

When an employee clicks on a phishing reporting button, they are not thinking of, say, the malware threat scenarios. To them, the knowledge of how to use the phishing button ties into a process of escalation to tell us that somebody is trying to steal information.

Therefore, we need to declutter the solutions and provide simple tools that support security controls. Offering corrective controls with regard to knowledge, monitoring controls related to process, and preventative controls with the right tools, takes the burden off the first line of cyber defence.

In equipping the user with the right tools, we must first consider the environment they operate in. In the corporate workplace, most employees want to do the right thing, but the tools they require must be readily available.

Ideally, tools should be offered that seamlessly integrate into existing processes. We often see staff in other organisations complaining about being swamped with tools options. Offer one tool and build the correct knowledge around it is my advice.

To build the correct knowledge, you need a balanced approach to education. Constant reminders can distract employees from doing their job. The key is to create “aha” moments.

The best types of controls are those that make it easy for employees to do the right thing and reduce the technical liability of them managing their own security settings. Key success factors include strong campaign visuals and taglines. It is also important to target any repeat offenders.

For escalation processes, when running phishing campaigns, you can measure effectiveness at the point of impact, where the employee clicks on the link. The employee knowing whether they have passed or failed the test is more effective in the longer term, because education can be quickly forgotten.

A broad range of security controls include:

  • Phishing button – an easy-to-identify button, clearly visible in the email screen, which allows employees to report suspicious email at point of receipt.
  • External email tag – a simple title tag that allows employees to quickly distinguish between external and internal correspondence.
  • Signing trusted emails – for authentication and non-repudiation.
  • Clear branded format email that changes periodically. This makes it easier for employees to identify genuine emails. 
  • Clear escalation processes – a one-stop shop that makes it easy for employees to remember where to go for help.
  • “Click to play” – instils a security mindset not to auto run/load media content.
  • Phishing exercises – delivered at the point an employee clicks a link or opens an attachment, it makes the message a far more memorable “aha” moment.
  • Strong campaign visuals and taglines – messages need to stand out. Requires budget and creative support.
  • Mandatory training – the employee learns all the key principles in one place. Keep it short.

Essentially, we are using the workplace environment to educate staff about how this brave new cyber world operates. Who knows, they might take some of this home as lessons learned and share further with their family and friends.

Read more on Security policy and user awareness