Cybersecurity Authenticity

By ThinkCISOCybersecurity Authenticity, Momentum Is The Enemy

When I came into my current role, one of my first tasks was to overhaul our cybersecurity awareness program.  The current training was stale, but I generally disliked the new content the industry was creating.  Most was fairly clichéd – being either too sci-fi or “hoodie guy in basement” themed (I mean the threat is real, why are we making it look like B-movie Hollywood?).  The alternatives went too far the other way, being too academic – covering the differences between a virus and trojan  – when the staff just needed to know how to avoid malware, not perform a forensics analysis.

The core of the new training I created was focused on these “must know” takeaways:

  1. How to recognize protected sensitive or confidential data
  2. How to safely handle, transmit or dispose of that data
  3. How to recognize and avoid attacks directed at them – social engineering \ phishing
  4. How to report any suspected incidents or problems related to the above

Most importantly, we added automated and randomized phish testing to measure the effectiveness of the new program.  There is no doubt that – especially the phish testing – created measurable performance improvements.  The phish testing results are now a key Board of Directors metric – tracking the effectiveness of the training program overall.

The staff now performs consistently well on the testing – and are generally paranoid in a good way – even accurately flagging official corporate messages when they have the warning signs and artifacts of phishing messages.

So – what next?  How do we maintain or even improve their performance and awareness?  We already had “Town Hall” events – often to contextualize and demystify the role of Information Security, and expand upon the threats and risks we needed their help to combat.  The staff were supportive (ok, free food and raffle prizes got them in the seats) and senior management was invested.  All positive – but in cybersecurity – Momentum in Your Enemy – we couldn’t rest, as our adversaries never do.

I will disclose my wife is an executive leader within a large organization – and she used to drive me crazy when it came to cybersecurity in her personal life.  Over time, I convinced her that password reuse is a legit sin and configuring MFA always is a must.  I am sure there was no chance that she would treat her corporate systems as cavalierly as she treated our personal streaming accounts.  But, I could also see that the lateral move from her social media identity to her corporate systems was not far indeed.  I am sure she was similarly trained by her organization – but it did not translate to her personal life, without my prodding.

Human Resources teams have already seen that overall “Wellness” of employees has benefits to the organization, even if it is beyond the “office walls”.  In cybersecurity, I think we must make the same transition.  For the last several years, we have supplemented our core cybersecurity training to now encompass whole life awareness – which I call Cybersecurity Authenticity.

Reality is that large numbers of staff already have access to corporate data – probably in their pockets – nearly 24 hours a day.  Flexible work, remote access and mobile devices (let alone social media, etc.) have already blended the technical demarcations between personal and corporate.  We know this when it comes to technically securing identity, systems and data.  Yet most cyber security training still focuses on corporate data and systems.  Even if we secure flex work and BYOD – it is still in the frame of corporate systems and data protection.  Wouldn’t risk be further reduced if the staff’s behavior was improved, even when not directly engaging with corporate systems?

To address this, we have added Cybersecurity Authenticity training to our overall awareness program – mostly at our Town Hall events. Cybersecurity Authenticity is focused on being safe home, while traveling, working remotely, and protecting employee and their families online. Some topics we covered included:

  • Dangers of Password Reuse
  • Importance of MFA on personal accounts
  • Privacy Settings on Social Media (the risk of “Too Much Information”)
  • Updating personal devices frequently
  • Free tools and services to use at home
  • Phishing avoidance on personal social media and email accounts
  • Cybersecurity for children and kids online
  • ATM Fraud avoidance
  • Juice Jacking and security while traveling

But most importantly, these were always focused on their personal lives, and that their data, personal accounts and families were targets – and that the skills we taught them at work could, and should be applied to their entire lives.

So – has Cyber Security Authenticity improved our metrics?  Right now, the evidence is still anecdotal.  But when a staff member tells me that they educated fellow travelers in an airport lounge to not charge their devices from public USB ports – or tell me about some phishing email they avoided at home – I believe THEY feel empowered and engaged.

I’ll take it.