Security awareness building

Cyber attackers often rely on human behaviour, such as clicking on links or downloading and opening/executing files, to give them valid credentials or access into a network or system. Reports show that 82% of all breaches involve a human element, which means your people play a key role in making sure that your organisation and information are kept secure.

Alongside implementing technical controls, investing in your people’s security awareness and training is a long-term commitment to improving the security of your organisation. It’s critical that your people understand the security risks your organisation faces so they can play their part in the protection of your systems. You can empower them to do this by providing appropriate security awareness training, programmes, and tools.

Purpose

The intent of this control is to ensure that your organisation provides adequate security awareness and training to your people and creates a positive security culture.

Measuring success

Security awareness building is an ongoing journey that should be factored into your organisation’s priorities. The goals of this control are:

  • Your people are provided with a simple, standardised way to report potential security issues and incidents.
  • Your people can identify phishing emails and common scams.
  • Your people are familiar with your incident response plan, what is required from them, and how to report potential security issues and incidents.
  • Reported issues and incidents are followed up by your security team and your people are informed of the outcomes.
  • Your organisation has an ongoing security training and awareness programme which keeps people up-to-date on expected reporting processes, current threats, and issues.

Security awareness: key takeaways

  • Make it easy to report potential security issues.
  • Educate your people on the process to report potential security issues and how to use the security reporting tools you have provided.
  • Encourage people to report potential issues, even if they are unsure.
  • Don’t blame victims. Don’t stigmatise mistakes. Almost all the time, people are as much victims or targets of attacks as organisations are.
  • Increase trust and collaboration within your organisation across all services.
  • Ideally, everyone is a security champion and is invested in the identification and active reporting of threats to your networks/systems.
  • Involve your people when practicing your Incident Response plan so that they know what to expect if an incident should occur. Communicate your incident response plan and any expectations with your people and ensure your incident response plan is accessible.
  • Run regular security awareness campaigns. It will let them know why cyber security is important, what you’re doing to keep the organisation secure online, what this means for them and what you need them to do. Security awareness should not be a one a year tick box exercise.

Advice for implementation

Creating an effective security awareness program