Awareness training: how can we promote an effective cybersecurity culture?
Published on: 10 02 2020 | Modified on: 18 12 2020
“Please update your password.” 49% of employees, upon receiving this message, are happy just to tweak their old password, according to an HYPR study in 2019. And thus “p@$$W0rd2019” becomes “p@$$W0rd2020”, delivering no security improvement whatever for the information system. So are we to conclude that prevention efforts are struggling to bear fruit?
Corporate cybersecurity is everyone’s business; but in reality, it's someone else’s problem. Beyond the technical tools involved, the staff awareness and education aspect is vitally important. And when it comes to getting staff on board, charters, rules of good conduct and other digital hygiene guides are doomed to fail if they are not conceived as part of a bigger, more engaging process. So what exactly is the miracle recipe for good cyberculture?
Awareness training is not yet a universal “given”
In the 2019 Stormshield/L’Usine Digitale study, initiatives to promote awareness of best practices top the list of cited measures for addressing cybersecurity challenges, but their implementation remains patchy: 28% of respondents do not invest in staff awareness training, or at least, not regularly.
Digital hygiene: should we ban sticky notes in the workplace?
Franck Gicquel, Partnerships Manager at Cybermalveillance.gouv.fr in France, confirms this unevenness: “The reality for a large group and for a micro-business is inevitably very different, with the latter relying on a service provider for its IT management: the micro-business is not always in a position to deliver awareness messages.”
On the other hand, a positive result from the study is that security aspects seem to be increasingly integrated into training sessions on new digital transformation tools (48%, a 9-point rise compared to the 2018’s barometer).
The role of top management: setting examples or issuing sanctions?
The role of the company’s governing bodies is key because, as well as setting an example, they alone can require that awareness training be prioritised and allocate the necessary resources for this purpose.
However, top management is not always sufficiently mature to address these issues. This is why Gérard Leymarie, CISO of the Elior group, sees an urgent need for a change of approach by CIOs: “We need to get out of our “old school” ways of thinking and comfort zones, and become proactive in our efforts to convince the executive committee.” Franck Gicquel believes that converting the management team into ambassadors for cybersecurity issues means “delivering the same message via a variety of sources, increasing the chances it will be understood and adopted.”
We need to get out of our “old school” ways of thinking and comfort zones, and become proactive in our efforts to convince the executive committee.Gérard Leymarie, CISO of the Elior group
There is also an expectation that top management will adopt a policy on possible sanctions relating to poor digital hygiene. With the GDPR, we are starting to see early hints of third-party legal sanctions. But with the exception of spectacular cases of poor managerial practice, experts agree there is a need to avoid overly directive approaches, as these are likely to provoke anxiety and have little effect in the long term.
“If we maintain a philosophy based on prohibition and punishment, we are perpetuating a view of the employee as a weak link in the security chain. And yet the whole point of awareness training is to make them the strong link!,” Franck Gicquel says.
Theory without practice equals a wasted training budget
The desired result will certainly not be achieved by annual PowerPoint presentations or “cyberwashing”. The challenge is to positively incorporate best cybersecurity practices into everyday life. Here are some tips for how this could be achieved.
Breaking out of the box
“Repeat without being boring,” is the goal according to Franck Gicquel. To do this, he advises that awareness messages should be delivered not only by the IT department, but also by other company functions (business units, HR and other departments). For example, the Stormshield / L’Usine Digitale 2019 barometer shows that an average of three different main stakeholders are involved in implementing a digital project within the company. So it would seem sensible to share out the work of raising awareness. “This shows that it's everyone’s business, and it makes it possible to vary the tone, approaches and examples used to establish a genuine cyber culture.”
And to get as close to employees as possible, why not identify points of contact within operational teams? Whether on a departmental or team basis, these “security” contacts would occupy the roles of facilitators (and also of experts), ensuring that cyber messages and directives are known and understood by all employees.
Adapting to the target audience
To stimulate interest in this issue within a large company, an SME or indeed a school, it is vital to make use of specific business examples and make connections between the issues and personal experience.
An offbeat campaign against cyber risks, courtesy of EPITA in Paris
Lightening the tone
The technique known as “croissantage” or “chocoBLAST” is a good example of this philosophy, in which an observant, non-malicious colleague uses an unattended workstation to send a group email notifying everyone that its owner will be providing breakfast the next day. It’s a quick, simple way of introducing the basic concepts of digital hygiene in a company.
Measuring the effectiveness of awareness training
Lastly, it’s important to check the awareness message actually received by employees. In the case of Elior and its Hacking Diner operation (see below), the indicators in question are viewing statistics for the dedicated site, the security information feedback rate (a fourfold increase in under a year), and the success rate of attacks against the company.
Elior’s change of methods with the “Hacking Diner”
At the end of 2018, the French leader in mass catering rolled out a cybersecurity awareness campaign – the “Hacking Diner” – to its 110,000 staff.
It took the form of a video, accompanied by a dedicated website based on the Cybermalveillance.gouv.fr awareness training kit. Gérard Leymarie’s satisfaction is evident: “at a cost of under 50,000 euros, we managed to raise the level of internal awareness significantly.” “That’s because of the diversity of formats used and the involvement of general management and the CISO,” says Franck Gicquel. And this campaign is designed with the long term in mind, with new modules being added regularly to the hackingdiner.eliorgroup.net site. “Rather than a one-off operation, we opted instead to give people time to adopt the right patterns of behaviour, using a multi-episode campaign over time,” explains Gérard Leymarie.
Could this (at last) prove to be a template for raising awareness effectively? A strategy initiated by an IS department using effective communication, supported at a wider level by all company departments, with illustrations from business practice or real-life issues... What’s more, these awareness initiatives seem to add up to a genuine training process, in which all staff members have a role to play in improving corporate cybersecurity.