10. Awareness and Training

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

10 AWARENESS AND TRAINING

In this chapter, we cover steps that an organisation can take to ensure that users are better prepared to make use of cyberspace, and to understand not only the issues they may encounter in doing so, but also their responsibilities to the organisation itself.

For the most part, one of the greatest security liabilities in any organisation is the user. They may not act deliberately, but often they will unintentionally perform acts of cyber vandalism that will cause untold problems for the IT and security support staff. Their actions (or inactions) may be that they behave inappropriately and release information or allow information to be released, but this may often be due to the fact that they have not been properly trained by the organisation to react appropriately to information security events.

Some – but not all – of this can be corrected by educating and training the users in good security practice, making them aware of the risks that they will face when using both their own and the organisation’s systems.

The ‘not all’ referred to above covers two different aspects of human behaviour – first, when the user simply forgets or ignores their training, and second, when they are carrying out some act in a very deliberate manner, either to cause loss of the organisation’s information (selling it to a competitor for example) or to cause damage or loss as an act of revenge.

However, making users aware of the threats, vulnerabilities and impacts that they may face is an essential precursor to training.

There is little that the organisation can do to ensure that users never make a mistake, although as a means of reducing the likelihood, one organisation in which the author worked levied a small financial fine on staff who left their computer unattended or left sensitive documents on their desk.

Preventing or reducing the likelihood of information theft or damage to systems and information can be achieved to a certain extent by implementing very strict access control mechanisms and introducing monitoring software that looks for anomalies in user behaviour and flags up an early warning if something out of character is detected. Banks and credit card companies adopt a similar approach as a means of early detection of fraud and will often contact a customer immediately if they appear to be making purchases that do not match previous spending patterns.

Although it may appear obvious, it is worth stating that awareness and training are two different but inter-related concepts. Awareness provides users with the information they need in order to avoid making mistakes, while training equips them with the skills they require to deal effectively with challenging situations when they arise.

This chapter focuses mainly on changing people’s behaviour, so that instances of people-related cyber-attacks can be reduced.

AWARENESS

Awareness of cyber security issues permits both individuals and an organisation’s users to act as a first – or indeed a last – line of defence in combating cyber-attacks. It is never a one-off activity and should be considered to be an integral part of personal development, while remaining a rather less formal activity than training.

An awareness programme allows people to understand the threats they face whenever they use a computer; the techniques used by social engineers to achieve their goals; the vulnerabilities faced by them or by their organisation; and finally the potential impacts of their actions or inactions.

This doesn’t imply that it is necessary to turn everybody into cyber security experts, but that a basic level of understanding is required, similar to that in driving a car – we need to know how to operate the vehicle, the rules of the road and the dangers we face, but we do not need to understand how the engine management system works. At a fundamental level, you should always lock your computer screen when leaving it unattended, remove any printed material that is in any way sensitive, and lock your desk.

As with any process, there are a number of discrete steps in an awareness programme:

Plan and design the programme:
- select the most appropriate topics for awareness, such as email etiquette, correct handling of information assets or password security;
- make a business case to justify any expenditure;
- develop a means of communicating with the users.
Deliver and manage the programme:
- develop the materials and content;
- implement the awareness campaign.
Evaluate and modify the programme as necessary:
- evaluate the campaign’s effectiveness;
- improve and update the material with new information.

Like many other aspects of working life, awareness is a journey, not a destination, since new people will join the organisation and need to be included in the programme, and new threats and vulnerabilities will arise.

The campaign should also focus on continuous reinforcement though such things as poster campaigns and pop-ups when people access the internet or log on.

The general trend of user engagement in the programme should be along the lines of:

initial contact with the user community – letting them know that something will be happening in which they will need to become involved and providing a general idea of what the programme will be all about, so that their expectations can be managed;
further understanding of the programme, so that they appreciate what the implications will be for them;
timely engagement, so that they begin to understand that there is a new way of working;
acceptance by users, in which the user community begin to work in the new way;
full commitment to new ways of working, so that they do not revert to their old ways;
evangelism, in which they encourage others to follow their example.

Ways of overcoming obstacles to awareness programmes

It is easy to assume that once an awareness programme is underway all will go to plan, and organisations will only need to react and respond to problems when they arise. However, if forewarned about some of the possible issues, organisations should have a contingency plan in place so that faster reaction is possible.

Some of the issues that organisations may face include:

Initial lack of understanding. When the awareness programme is initiated, it is vital that the communication that goes out to the relevant audience explains not just what the organisation expects to achieve, but also why it is undertaking the work. This will greatly aid acceptance of the programme.
The introduction of new technology which complicates a programme that is already underway. Such changes in the IT infrastructure in an organisation can either enhance the ability to deliver the message or can complicate it; but as long as people from that part of the organisation are involved in the awareness programme, the team should be aware of the possibility before it arises and be able to include it in their programme or work around the problem.
One size never fits all. Every organisation is different, and there are no standard methods of operating an awareness programme, and even within one organisation the different types of audience may have different requirements. Also, there will be a considerable difference in both the size and the scope of an awareness programme between one for a large organisation and one for an SME.
Trying to deliver too much information. Many users in an organisation will be non-technical, and so the focus of the programme must consider that the more technical aspects of cyber security could overwhelm them. It is essential to keep the focus on what the audience needs to know and not try to extend the delivery of information to be too technical. Less is more.
Ongoing management of the programme can become a challenge. If this becomes the case then the probability exists that the programme will flounder due to lack of support from those areas of the organisation that are involved in its delivery, and therefore senior management commitment must be assured.
Follow-up failure. This can and will cause problems for the programme, since it is vital that the team understand how well the message has been received, understood and acted upon by the target audience. Regular monitoring and reviews are essential to delivering a quality programme.
Inappropriate targeting of the subject matter. This can have a negative effect on the programme, since groups within the organisation may be receiving some awareness information that has little or no impact on their role, while others are not receiving information that would be essential to their daily activities.
Ingrained behaviours. These are a constant challenge in this kind of programme. Some people will always challenge the programme, saying, ‘We’ve always done it this way and it has always worked, so why should we change?’ Any organisation running an awareness programme must expect this kind of response and must develop sound arguments against it.
Some people will take the view that security is the responsibility of the IT department. It is essential that they are disabused of this notion at an early stage and throughout the ongoing campaign. Cyber security is everybody’s problem and is not restricted to one department.

Programme planning and design

The process commences with the establishment of a small team who will develop and run the programme. Some of them will naturally have a degree of expertise in information security, while others may represent those parts of the organisation that might suffer serious impacts in the event of a cyber-attack. It may also be beneficial to involve the internal audit function, who may be able to offer constructive advice, since a programme such as this may well be audited at a later stage, and from personal experience I can attest that it’s always good to have audit on your side.

The team’s initial task will be to define the exact goals and objectives of the programme, and this will include whether the target audience is to be the whole organisation or just a small part as a pilot project. This latter option may be a much more beneficial approach, since it should be able to achieve its objectives on a small and therefore less costly scale before the programme is widened to include everyone.

In the initial part of the programme, the target audience might also be limited to one particular type of user, such as:

employees working full-time in the organisation’s premises. These are frequently the kind of users who will benefit the most from receiving cyber security awareness training;
home-based users, who will have similar but slightly more complex needs. Due to the different requirements for connecting into the organisation’s network, these users may require a slightly higher level of understanding of the issues at stake;
third-party users, such as contractors, outsourced staff and suppliers who require connections into the organisation’s networks in order to undertake their work;
system administrators and IT support staff, who will already have at least a general appreciation of the issues;
management-level users, who may be responsible for in-house employees or home-based users, and who need to understand how cyber security issues will affect their departments;
senior executive users, who will be responsible for making many of the business decisions that could well be targets for a cyber-attack.

Alternatively, the organisation may decide to target a cross section of users from different groups so that the overall organisational benefits can be seen, rather than solely those for a particular community.

Some topics will have greater relevance to particular target groups, such as the issues of social engineering, which may possibly be more relevant to staff who have regular contact with customers and suppliers than to those who do not. This does not imply that those who do not have as much external contact should not be included in that aspect of awareness, but that they might gain less from it.

Next in the development of the programme, the team must clearly identify the topics that will be covered. It is pointless trying to cover all aspects of cyber awareness, since this will simply overwhelm the audience; instead, the programme should focus initially on a very tightly defined subset such as usernames and passwords, spam email or social engineering. The campaign can be widened at a later stage once the results of the earlier work have been examined and the techniques used have been refined where appropriate.

The methods of communicating the message to the user community will vary considerably, and may well consist of some or all of the following:

posters, which can be placed where staff can easily engage with the message, such as meeting rooms and other shared areas. Some posters might have a humorous focus in order to lighten the message, while others could be somewhat darker;
newsletters, which can be delivered by desk-drop in office buildings, or by email for offices and home workers alike;
giveaway items such as coasters, coffee mugs, key fobs and mouse mats, which continue to reinforce the general message for as long as they are used;
screensavers, which might display a variety of messages, and which could be changed either at regular intervals or when a new message must be given out;
intranet websites that provide helpful advice, examples of good and bad cyber security behaviour and links to additional informative material and training;
fact sheets and leaflets, which may be particularly relevant to a group within the organisation, to the whole organisation or to its business sector;
presentations at team meetings, in which a guest speaker talks for a few minutes on a hot topic and takes questions about the whole awareness programme, keeping the presentation ‘short and sweet’;
computer-based training (CBT), which delivers a more detailed level of knowledge, and may be a mandatory requirement for the certain users’ work. This might include data protection legislation, for example.

Once this part of the work is complete, the team may well have to approach the senior management team or board of directors to obtain funding approval, since it is unrealistic to expect that the work can be undertaken at no cost.

As with all business cases, the approach should focus on the likely impacts that will occur if the work does not proceed, as well as the benefits that will accrue when it does. This is another reason for keeping the initial part of the campaign to a reduced volume of information, since the costs will be lower, and the board should find it easier to give approval. Success at this early stage will then make it much easier to obtain board approval for further expenditure when the campaign moves on to cover more aspects of cyber security awareness.

The costs can be more easily identified if they are broken down into manageable areas, for example:

the hourly costs of staff who are engaged in delivering the awareness campaign as well as those who will be on the receiving end;
development costs, including development and maintenance of any intranet websites or the production of materials such as posters and newsletters;
promotional costs, such as giveaway items including branded pens, coffee mugs, key fobs, mouse mats and the like;
training costs, where external trainers are brought in to deliver all or part of the awareness campaign.

Some of these will be one-off costs, while others will be recurring, and the board will expect that these will be clearly identified.

It should also be possible to attempt to quantify the potential impacts, since the directors of organisations will need to be certain that the programme will deliver value for money and will wish to understand the consequences of not undertaking the exercise.

Potential impacts can include not only the direct financial losses anticipated if a particular incident occurs, such as the loss of sales revenue and the expenditure that would be incurred in responding to and recovering from the incident, but also the indirect losses such as share value, brand and the organisation’s reputation, although these can be rather more subjective in nature, but still require consideration.

Delivery and management of the programme

Although we have called this an awareness campaign, it actually goes further than this, because awareness is only the first stage in which the target audience is made aware of what they should know and when they are likely to need the information. This may be delivered in a variety of ways, for example by printed material, email, electronic newsletters and intranet portals for those organisations having more sophisticated resources.

The campaign then moves up a level so that the target audience gains an understanding of why they need to be involved and how best they can participate. This may include raising awareness topics at team meetings and delivering specific presentations on the subject matter.

Evaluation and modification of the programme

Finally, the campaign is ready to see results from the earlier work and to evaluate its effectiveness, and as the campaign develops and widens its scope, the organisation will expect to see the benefits in reduced instances of successful cyber-attacks and fewer negative impacts on the organisation’s information and systems.

The team must ensure that the entire exercise has been carefully documented, and that they can demonstrate the resulting benefits at the end of the pilot project so that more of the organisation and additional areas of cyber security awareness can be addressed.

Once presented back to the board, success should breed success, and the team should be better placed to move on to raising awareness for the wider organisation or in more topic areas. The board presentation should focus on both the financial and non-financial benefits, and the value to the business itself and also to its external stakeholders, including suppliers and customers and the sector regulator if applicable. It should be completely honest about both the overall costs and the potential impacts of not progressing with a full rollout.

Once the board have given their commitment for this, the pilot user group should be given acknowledgement for their involvement, as this will not only reinforce the importance of the programme but will encourage others to become actively involved.

TRAINING

As mentioned earlier in this chapter, awareness and training are two entirely different, but interconnected, concepts. While awareness places cyber security issues firmly in the minds of the user community in an organisation, training will deliver very specific and often highly targeted information to those individuals or groups who have a specific requirement for it.

Training, and especially highly technical training, can be costly, but as with awareness it has a direct payback in terms of reducing the number of incidents and the potential financial impact on the organisation.

Cyber security training falls into two distinct categories:

Generic training, in which the underlying concepts of cyber security are explained, and which give a sound appreciation of the issues. This may be required by those managers who are responsible for specialist security design and operational staff.
Specialised cyber security training, in which very specific skills are taught to a limited audience such as those security staff who manage the organisation’s security infrastructure.

Appendix D lists a number of sources of cyber security training and suggests appropriate topics.

A few final points to consider

In the case of product or technology-specific training, it should be considered that technology changes at an alarming rate, and the need for updated courses will undoubtedly become necessary as time progresses. The requirement for ongoing budget allocations for this should be factored into the cost estimates when preparing business cases.

One method of reducing training costs is by identifying those staff who already possess training skills, and who can pass on their knowledge to others. This ‘train the trainer’ approach can work well when budgets are limited, although it may not be the best solution if the people who are intending to deliver the training are inexperienced in how to train others.

The business cases for both generic and specialised cyber security training will need to be developed and presented on a case-by-case basis and should be presented in a similar manner to those for the awareness programme. However, instead of being focused solely on benefits to the organisation as a whole by targeting all users within the organisation, these business cases should also focus on benefits to the organisation by addressing the specific training needs of individual specialists and the general areas in which they will benefit the organisation.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 10. Awareness and Training

Create new playlist

Sign In

Sign Up

Table of Contents for
10. Awareness and Training