Lance Spitzer has a short list for teaching security awareness. At the top of it is this: If you want people to take security seriously, personalize it.
“Don’t talk about how it affects the corporation,” he said. “Start with how they can protect their kids online and their own mobile device. Let them see what’s in it for them.”
Spitzer, training director for the SANS Securing the Human Program, wove that thread through his brief presentation at the SANS Security Leadership Summit Wednesday in Boston titled “Your Security Awareness To-Do List.”
Brevity, he said, is one of the elements of training that appeals to employees. While most organizations have security awareness programs, they are both unpopular and “immature, because they were developed by auditors for compliance. We want to take it to the next level and change behavior and, ultimately, culture,” he said.
That, he said, involves three key principles:
Focus on limited key topics.
“The ‘Human OS’ is not very good at remembering a lot of different things, and you have limited time and resources,” Spitzer said, “so focus on the fewest behaviors that will have largest impact.”
For his program, he said, a “human risk analysis” yielded a “top seven” list: Vulnerability to phishing attacks; poor password security (not that they are too simple, but that they are being shared or re-using the same one for various sites); failing to patch or update devices; sharing too much on social media; not realizing you are a target; and accidental data loss or exposure.
That last one, he said, is caused frequently by auto-complete on email. “You meant to email Dave in accounts payable, but instead you accidentally emailed Dave, your kid’s soccer coach,” he said.
Spitzer said the latest Verizon Data Breach Incident Report, released just recently, “matches perfectly with what we have here when it comes to human risks. The key is that with fewer topics, you’re more likely to change behavior.
A primary question he gets from organizations, Spitzer said, is: “How do we reach people?”
And the simple, effective answer, he said, is to, “focus on how people benefit – 70%-80% of an awareness program also applies to people’s personal lives.”
The reality, he said, is that in the modern work environment, where people are working in multiple locations (including their homes) with multiple devices, their personal information is also at risk.
“Bad guys are targeting people at home,” he said, “so it’s not like they need one set of behaviors at home and a different one at work. It’s the same across both. You want to make security part of their DNA.”
Awareness takes repetition, Spitzer said, but it won’t be effective it it’s overdone. “You need to communicate regularly through the year to reinforce key behaviors,” he said, “and we recommend that you touch people monthly. Quarterly is not enough, but weekly is too much – it start to become noise.”
The other key, he said, is to offer different ways for workers to consume that training. Different generations have different preferences, he said – boomers might want lunch-and-learn events or newsletters, while younger workers would prefer webcasts and social media.
Also, let workers consume training on their own schedule. “If you schedule an event, 10% might show up – everybody’s busy,” he said, “but when you offer it on their own schedule, it’s more successful.
Finally, don’t ignore awareness updates either, he said. “Your technology, standards and threats are constantly changing, “ he said, “so you should update your content at least once a year, or more often if there’s something critical.”