Security Awareness: 6 Factors that Get in the Way
Giving employees the tools for security awareness is essential. Many figures point to user error as the largest contributing factor in breaches and security incidents. Recent data from the International Association of Privacy Professionals (IAPP) finds the most common causes of unauthorized exposure of regulated data are unintentional or inadvertent mistakes.
Security awareness programs can minimize risk from user error. According to the InfoSec Institute, 50 percent of internet users receive at least one phishing email a day. In one study cited by InfoSec Institute, around 26 percent to 45 percent of employees were susceptible to phishing. With a security awareness program in place, that percentage decreased by 75 percent.
A recently released report from SANS reveals that while the security awareness field is still immature, several positive strides have been made in recent years. Among responses from 1,718 security awareness professionals around the world, 67 percent have the leadership support they need to run and maintain their programs. And 85 percent report their work has a positive impact on the security of their organization.
Still the report also finds there are several factors getting in the way of awareness program maturity. These so-called “blockers” are what are hold companies back from a robust program to keep users on top of current and emerging threats.
What’s Getting in the Way of Awareness?
According to SANS, these are some of the factors holding awareness back.
Cost
Of course, purse strings are always tight and lack of funding is a problem not only for security awareness, but for security programs in general. Making the case for investment in a security awareness program requires security mangers to carefully consider what is important for ROI for their specific organization, and find a way to make a careful case for it.
“Security awareness professionals need to do a better job of justifying those costs by not only demonstrating the impact, but also the value of that impact on the overall organization and its mission,” noted the report. “This can include analyzing costs due to past breaches, costs of compliance failure, and cost requirements due to any partner or customer security requirements.”
Operations
Because they can impact operations, awareness programs need to be mindful and simplify to minimize disruptions. These can include lost-work time costs, the politics of mandatory training programs, and the complexity related to operating the programs themselves, according to SANS.
“In order to address the typical concerns around operational cost and disruption, there are two actions to consider,” noted the report summary. “One, simplify awareness programs wherever possible to minimize the operational impact to the organization. This includes minimizing the topics you focus on that have the greatest impact. Two, involve the operations team from the beginning of the planning process and consider adding them to your Advisory Board.”
Time
The report cites a lack of staff time as the No. 1 challenge faced by organizations with awareness programs. More than 80 percent of respondents reported spending less than half of their time dedicated to awareness programs and most organizations categorize security awareness a part-time job. The report says awareness clearly lacks priority behind other, conventional security roles such as incident response, security operations centers and endpoint security.
“Given the overall increase in security incidents involving human error, the trend toward understaffed security awareness programs is particularly concerning,” report authors said.
Lack of Understanding
If a company is fortunate enough not to have experienced a breach or incident (yet), there can be a clear lack of understanding of the need for awareness education. The report suggests using internal incidents and known “near-miss” events with a human component to drive home the message of the need for awareness training.
“You can use them as a teachable moment to help express how baseline cyber security awareness training programs can help mitigate the problems and are necessary to fill the gaps that security technology can’t,” said report authors.
Lack of Compelling Metrics
Even with investment in a program in place, unless the awareness team can offer examples of how the training helps, the program will stall. The report suggests awareness managers dedicate a certain amount of time each month for collecting and communicating with leadership about the impact/value of the awareness program.
“A good starting point is 4 hours a month. That does not mean you spend 4 hours every month talking to leadership. It means you spend 4 hours every month collecting the data and success stories that demonstrate the impact your program is having, building an executive report or presentation that communicates in business terms, that your leaders value, what your program is doing.”
Lack of Leadership Buy-In
Without support from key leadership, the awareness program is in peril. As the report notes, the allocation of resources, enforceability of programs, identification of key program goals and overall maturing awareness programs all depend on support from senior leadership. Data shows a clear correlation between leadership support and program maturity.
When dealing with a senior leader who is a “blocker,” the report recommends looping in a senior executive who is a champion of the program and see if they have any suggestions on how to communicate the value of security awareness to other executives.
“Ultimately, the more support from the top down that an awareness program has, the better the likelihood it has to offering consistent culture change,” noted the report.
