October is Cyber Security Awareness Month; and therefore, the perfect opportunity for individuals and businesses to learn about the importance of having a strong security culture. The idea originally stemmed from the United States and is now becoming widely adopted in many countries across the world, including the EU and here in the UK. This year, the EU Cyber Security Month celebrates its 10^th Anniversary around two themes: Phishing and Ransomware. We highlighted the issue of ransomware in our last insight which you can read here.

85% of cyber breaches are directly related to human behaviour (either falling for a Social Engineering attack or human error) but only 3% of security budgets are spent directly on the problem (Carpenter & Roer 2022). It’s a shocking statistic when you think about it: we’ve tried to change human behaviour by implementing tooling and hoped that this would be enough to protect our organisations. Although security tooling is important, if an attacker can get round those defences 85% of the time, then something’s missing.

As with most things, measurement is important; we need to understand how effective our efforts and investments have been if we are to see change and continue to make progress. Typically, awareness programs measure things like attendance at in-person training sessions, computer-based training completion rates, and the number of phishing emails sent vs the number opened. What these measurements don’t tell us is the performance against a particular goal or objective. We recommend starting with the question ‘what are we trying to do?’ this when developing a training programme. Hayden (2010) explains the GQM (Goal, Question, Metric) method in his book IT Security Metrics. This approach starts by defining a Goal – what you are trying to achieve – then setting a Question – what you need to know – followed by a Metric – what you can measure to determine your performance.

For example:

• Goal – Reduce the amount of data we hold, that would increase a fine from the Information Commissioner’s Office (ICO) in the event of a data breach.  
• Question(s) – 1) Where do we store data? 2) How long do we keep data for? 3) What is the retention period for each data set
• Metric – 1) Volume of data in each store, 2) Percent of data that is destroyed vs percent of data that is not destroyed in accordance with the data retention policy, 3) Volume of data at each Information Classification level

“Security competence is exactly that – a competence that must be learned, not just something you tell.”

Kai Roer (2015)

What can you do?

Protecting your customers, your data, and your organisation is at the core of cyber security; and educating everyone in your organisation is foundational to those purposes. Here’s a few ideas for where you might want to start:

• Conduct security and privacy awareness training. This must be aligned with your organisation’s culture, otherwise it won’t work. We’ve all had instances where we’ve been told one thing but then seen another in the organisation. If your awareness program tells people to do something that cannot easily be done, or is demonstrably not being done in the organisation, then it won’t be effective.
• Use all the resources at your disposal. If you are responsible for security awareness, draw on the communications team, the marketing team, online resources, technical personnel, and others to ensure your efforts are effective. You may best understand how to protect the organisation, but by using the marketing skills available to you, you can craft an impactful message that your users listen to.
• Take a look at our high-level 4 step approach to changing your security culture.
• Look after your employees’ welfare. Consider their personal lives and how you can best protect them. If your employee is worried about an elderly relative who has just been scammed out of their savings they won’t be as effective at work, so provide advice and guidance beyond what your company needs.
• Give staff time. If you want them to create and use strong passwords, allocate time during your awareness sessions for them to do just that. Don’t send them away at the end back to their desks or their home offices where they’ll jump straight back into work and get so busy, they don’t have time to do it.
• Prepare your teams to respond to cyber incidents and other disasters. When you’re under attack or your office has flooded is not the time to be figuring out how to respond. Practice beforehand, talk it through, test your assumptions and learn from your errors. Don’t be afraid to make mistakes!

Remember, cyber security awareness is for life, and not just for a month. All it takes is one moment, one mistake and all your hard work can be undone. ‘Semper Vigilans’ = ‘Always Vigilant’. If you’d like to have a conversation about how we can help you implement an awareness program, or you’re interested in our certification courses contact Jim at jim@principledefence.com