When we talk about practical advice for companies, we always say something like “Raise your employees’ security awareness.” That advice is unquestionably strong, but we have noticed that not everybody understands the term security awareness in quite the same way. We would like to explain what we mean when talking about this subject.
Security awareness is by no means a set of dull lectures about how dangerous the cyberworld is. We have studied a variety of approaches and can say that categorically. It simply doesn’t work.
What business really needs is a culture of cybersecurity.
According to our experience, training will work only if it matches several criteria:
- It is not pure theory; it teaches things that are relevant to one’s job functions;
- It does not interrupt students’ daily workflow;
- It uses real-life, illustrative examples;
- It gives advice that really can be applied.
The last point may sound incredibly obvious, but actually, it is an important point. A good tip is easy: Make every password unique, at least 18 characters long, and containing random symbols; change every single one weekly; and never write down a password on paper. In theory, that advice is great — perhaps even ideal. Is it applicable, though? No. Will anyone follow it? Not a chance. They will continue writing “Passworddd123” on a sticky note. They might start taking the extra second to hide the paper under their keyboard.
That is why our version of password security instead advises people to create several complex “roots” that have meaning only to them and are not part of everyday speech (e.g., meow!72!meow); add a keyword to the root each time you create a new password (e.g., oxygen-meow!72!meow); take a piece of paper and write aqualung-cat on it (i.e., something that you associate with the keyword and the root).
From a classical cybersecurity perspective, that advice is far from ideal. Any security expert would yell, “What are you doing, how can you advise people to write down part of their password?” But it’s actually highly practical — and the best advice is advice people will follow.
Training’s compatibility with daily work is another sensitive issue. When someone at the top decides to “raise security awareness” (and let’s keep in mind that in most cases, the idea comes up after some sort of security incident), they put someone in charge and rest easy, certain that everyone will just drop everything and turn to cybersecurity.
In practice, it’s a lecture — a big, long affair that probably summarizes a topic or implements a “cybersecurity week.” Some employees will consider it an opportunity not to work; others will be nervous about pressing deadlines; and the rest simply won’t get much out of it, because there’s only so much information you can cram into your brain in a short period of time.
At the end of it, employees will have completed training, so someone can check that off their list. But will there be a real result? Sure, some will feel shaken, and for a week or two they will remember to examine each incoming e-mail to guard against phishing attempts. But what will they remember in a month?
That is why we try (in particular with our Automated Security Awareness Platform) not to overload people with information. Running through a couple of small activities — lessons, tests, and simulations — per week gives employees a digestible amount of information, and in small enough bites to integrate with daily work, building a foundation for cybersecurity culture. And thanks to our platform, little administrative effort is required. You can read more about it on our corporate website.
Relevance and visualization
On this subject our position is direct — we work with people, not with faceless accounts. If the process isn’t interesting, it will be quickly forgotten. And it needs to be relevant. We use a system of levels, each recommended for a group of employees with an area of responsibility in common. After all, why would we train someone who has no access to banking systems on resisting financial cyberthreats? Accountants, on the other hand, need a deeper understanding of those threats specifically. Moreover, first we explain why employees should know something, and only then give practical advice.
Interactive simulations also go beyond giving simple information about threats and provide practical expertise. They also may be the best way to work with top managers, who may have extensive access but rarely agree to attend common training sessions.
People perceive our Kaspersky Interactive Protection Simulation not as some sort of education, but as a team-building event. Working together with staff to keep a simulated company intact, directors come to truly understand why the company needs protective measures, where to spend on defense, and how the company’s income depends on cybersecurity. It is truly a unique experience.
We are not the only ones thinking about the advantages of building a cybersecurity culture, not to mention modern and effective ways of conducting security training. Analytic companies are expressing similar ideas. Here, for example, is Forrester’s report about security awareness.