Three common mistakes you are making with your security awareness programme

password manager security
(Image credit: Passwork)

Despite the vast budget and resources invested in cybersecurity, breaches are still commonplace and increasingly impactful. When these incidents are analysed, there is a shared factor—the controlling technology is undermined by human action. This can include staff handing out credentials, facilitating unauthorised requests, falling for spoof emails, and simply running malware at the behest of an attacker. 

When the World Economic Forum states that 95% of security breaches occur because of human action, it is clear that security awareness throughout your organization is imperative. Yet despite years of activity, more still needs to be done. 

About the author

Andrew Rose is a Resident CISO for the EMEA Region at Proofpoint.

There are three connected things you may be doing that can hinder your security programme and steps you can take to improve your position.

Step 1: Get creative with your programme’s name

As simple as it sounds, you may have named your security programme incorrectly. 

We all focus on security awareness and build “security awareness programmes” for our organisations, but that isn’t what we really want. Our true desire is more than just to improve awareness—it is to change behaviour. Calling our programme “security awareness” encourages us to focus on the wrong outcome. After all, if our real aim is to stop people smoking, we wouldn’t call our initiative the “be aware of the risks of smoking campaign.” 

This is an easy fix—change the name of your programme. Decide on the real outcome you desire and name the programme appropriately… Security Behaviour Change; Build Security Culture Programme, etc. You will be amazed by the difference such a small change can make because the new title will constantly return your attention to what you are really trying to achieve.

Step 2: Learn your ABCs

The second mistake is related to the first. All too often programmes decide they can change the culture of the organisation by increasing the amount of awareness training undertaken by staff. That simply won’t happen. Culture is not the same as ‘lots of awareness’. 

There is a maturity model I use—“ABC”—meaning Awareness, Behaviour, Culture. Each is a step, building on the previous one. Critically, there is a pivot at each—a change of focus required to transition from one level to the next. 

Let’s assume we already do ‘Awareness’. To pivot to ‘Behaviour’ you need to focus on making sure that staff understands the consequences of cybersecurity, both personally and professionally. Once staff have both awareness and motivation, they are much more likely to display the correct behaviour. There is science behind this simplified approach, and I’d recommend you devour the wisdom of Professor BJ Fogg’s behaviour model. 

Once ‘Behaviour’ is on the road to achievement, then ‘Culture’ becomes your goal. The pivot for culture is the creation of a wide-ranging perception that everyone around the business cares about security (note that I use the word ‘perception’—it doesn’t have to be true initially—this is a real case of ‘fake it till you make it’!). Create that perception by tuning your communications plan to ensure that security messages arrive from across the organisation—from execs, from receptionists, and especially from middle and line managers. Indeed, almost from everyone except the CISO. This will build a perception in each staff member that everyone around them cares about security, and that will create peer pressure for them to act in similar ways. This is the crucible of culture.

Step 3: Punish only when necessary

The key step to mature to the ‘Behaviour’ level mentioned above is creating a motivation to change behaviour. Motivation can be encouraged in several ways, and one is to create a fear of punishment or embarrassment if staff make an error or fail a security test. 

Many security professionals have strong opinions on this matter. Some believe that negative consequences must be avoided at all costs. Others use them as their first and easiest motivational tool. Both are a mistake, and the best path forward lies between the two.

Security teams that are swift to punish will lose the support of the masses and become perceived as the organisational traffic cop. You may be providing a service, but at the expense of agility, flexibility, and pragmatism—all things modern organisations require in abundance. It will make staff less likely to approach you with concerns, vulnerabilities, and ideas. Each punishment places another brick in your ivory tower. 

However, the organisation I’ve seen with the lowest click rate for their phishing tests had both a negative consequence model and an accessible and well liked security team. How did they manage that? It’s all about timing. 

When first introducing a consequence model, it should be focussed solely on reward for doing the right thing. Only once the organisation moves from the ‘Behaviour’ maturity level to the ‘Culture’ maturity level should the negative consequence model be considered. At that point you have a solid level of support across the business, and the negative consequence model can be positioned as the last stage, implemented to motivate those few laggards who are not aligned with the culture that the rest have embraced. The implementation is the same, but the messaging is completely different. 

In an age where identity is the new attack surface and people are so fundamental to our cyber defense, security culture becomes an essential control which every CISO should be prioritising. Addressing these three common problems will make a remarkable difference to your security programme and lower the risk of a successful security breach via your user base.

Andrew Rose is a Resident CISO for the EMEA Region at Proofpoint. His focus is driving Proofpoint’s people-centric security vision, strategy and initiatives amongst the company’s customer base.