{"id":25729,"date":"2019-02-26T14:48:55","date_gmt":"2019-02-26T19:48:55","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=25729"},"modified":"2020-04-13T16:16:37","modified_gmt":"2020-04-13T20:16:37","slug":"building-cybersecurity-culture","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/building-cybersecurity-culture\/25729\/","title":{"rendered":"Cybersecurity culture instead of dull lectures"},"content":{"rendered":"<p>When we talk about practical advice for companies, we always say something like \u201cRaise your employees\u2019 security awareness.\u201d That advice is unquestionably strong, but we have noticed that not everybody understands the term <em>security awareness<\/em> in quite the same way. We would like to explain what we mean when talking about this subject.<\/p>\n<p>Security awareness is by no means a set of dull lectures about how dangerous the cyberworld is. We have studied a variety of approaches and can say that categorically. It simply doesn\u2019t work.<\/p>\n<p>What business really needs is a <em>culture of cybersecurity<\/em>.<\/p>\n<h2>Our approach<\/h2>\n<p>According to our experience, training will work only if it matches several criteria:<\/p>\n<ul>\n<li>It is not pure theory; it teaches things that are relevant to one\u2019s job functions;<\/li>\n<li>It does not interrupt students\u2019 daily workflow;<\/li>\n<li>It uses real-life, illustrative examples;<\/li>\n<li>It gives advice that really can be applied.<\/li>\n<\/ul>\n<h3>Applicability<\/h3>\n<p>The last point may sound incredibly obvious, but actually, it is an important point. A good tip is easy: Make every password unique, at least 18 characters long, and containing random symbols; change every single one weekly; and never write down a password on paper. In theory, that advice is great \u2014 perhaps even ideal. Is it applicable, though? No. Will anyone follow it? Not a chance. They will continue writing \u201cPassworddd123\u201d on a sticky note. They might start taking the extra second to hide the paper under their keyboard.<\/p>\n<p>That is why our version of password security instead advises people to create several complex \u201croots\u201d that have meaning only to them and are not part of everyday speech (e.g., <em>meow!72!meow<\/em>); add a keyword to the root each time you create a new password (e.g., <em>oxygen-meow!72!meow<\/em>); take a piece of paper and write <em>aqualung-cat<\/em> on it (i.e., something that you associate with the keyword and the root).<\/p>\n<p>From a classical cybersecurity perspective, that advice is far from ideal. Any security expert would yell, \u201cWhat are you doing, how can you advise people to write down part of their password?\u201d But it\u2019s actually highly practical \u2014 and the best advice is advice people will follow.<\/p>\n<h3>Compatibility<\/h3>\n<p>Training\u2019s compatibility with daily work is another sensitive issue. When someone at the top decides to \u201craise security awareness\u201d (and let\u2019s keep in mind that in most cases, the idea comes up after some sort of security incident), they put someone in charge and rest easy, certain that everyone will just drop everything and turn to cybersecurity.<\/p>\n<p>In practice, it\u2019s a lecture \u2014 a big, long affair that probably summarizes a topic or implements a \u201ccybersecurity week.\u201d Some employees will consider it an opportunity not to work; others will be nervous about pressing deadlines; and the rest simply won\u2019t get much out of it, because there\u2019s only so much information you can cram into your brain in a short period of time.<\/p>\n<p>At the end of it, employees will have completed training, so someone can check that off their list. But will there be a real result? Sure, some will feel shaken, and for a week or two they will remember to examine each incoming e-mail to guard against phishing attempts. But what will they remember in a month?<\/p>\n<p>That is why we try (in particular with our Automated Security Awareness Platform) not to overload people with information. Running through a couple of small activities \u2014 lessons, tests, and simulations \u2014 per week gives employees a digestible amount of information, and in small enough bites to integrate with daily work, building a foundation for cybersecurity culture. And thanks to our platform, little administrative effort is required. You can read more about it on our <a href=\"https:\/\/k-asap.com\/en\/?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____kasap___\" target=\"_blank\" rel=\"noopener\">corporate Website<\/a>.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kasap\">\n<h3>Relevance and visualization<\/h3>\n<p>On this subject our position is direct \u2014 we work with people, not with faceless accounts. If the process isn\u2019t interesting, it will be quickly forgotten. And it needs to be relevant. We use a system of levels, each recommended for a group of employees with an area of responsibility in common. After all, why would we train someone who has no access to banking systems on resisting financial cyberthreats? Accountants, on the other hand, need a deeper understanding of those threats specifically. Moreover, first we explain why employees should know something, and only then give practical advice.<\/p>\n<p>Interactive simulations also go beyond giving simple information about threats and provide practical expertise. They also may be the best way to work with top managers, who may have extensive access but rarely agree to attend common training sessions.<\/p>\n<p>People perceive our <a href=\"https:\/\/www.kaspersky.ru\/enterprise-security\/security-awareness\" target=\"_blank\" rel=\"noopener\">Kaspersky Interactive Protection Simulation<\/a> not as some sort of education, but as a team-building event.\u00a0 Working together with staff to keep a simulated company intact, directors come to truly understand why the company needs protective measures, where to spend on defense, and how the company\u2019s income depends on cybersecurity. It is truly a unique experience.<\/p>\n<p>We are not the only ones thinking about the advantages of building a cybersecurity culture, not to mention modern and effective ways of conducting security training. Analytic companies are expressing similar ideas. Here, for example, is Forrester\u2019s report about <a href=\"https:\/\/go.kaspersky.com\/KL-forrester.html\" target=\"_blank\" rel=\"noopener nofollow\">security awareness<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u201cSecurity awareness\u201d means different things to different people. Here\u2019s what we mean when talking about this subject.<\/p>\n","protected":false},"author":2505,"featured_media":25730,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[3147,346,2556,3148],"class_list":{"0":"post-25729","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-asap","10":"tag-education","11":"tag-security-awareness","12":"tag-trainings"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/building-cybersecurity-culture\/25729\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/building-cybersecurity-culture\/22334\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/building-cybersecurity-culture\/10406\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/building-cybersecurity-culture\/22648\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/building-cybersecurity-culture\/18024\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/security-awareness\/","name":"security awareness"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/25729","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2505"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=25729"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/25729\/revisions"}],"predecessor-version":[{"id":34902,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/25729\/revisions\/34902"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/25730"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=25729"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=25729"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=25729"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}