Security Awareness Lacks a Rogues Gallery - joining the dots

‘Joining the Dots’ for Effective People-Centred Cybersecurity

At Layer 8 we find ourselves talking to people about cyber security every day, and it’s rare that we meet someone who isn’t passionate and committed to doing a better job of securing personal and business assets from a data breach, phishing and ransomware. Our conversations tend to fall into two categories; we provide workshops for end-users on a range of cyber security topics; we also spend a lot of our time talking to security professionals about developing effective security culture, founded on proactive security behaviours.
“We all want better cyber security.”
The conversations in both cases are remarkably similar. Sure, security professionals can provide the broad perspective, they understand the whole spectrum of risks more clearly, and they know the limitations of budget and resources. But what they share with end-users is a desire to make things more secure, to safeguard the data of their customers, and to find solutions for things that aren’t currently working. The trouble is, security teams rarely collaborate with everyone else. We know they’re missing out on opportunities to pool resources and create a stronger cyber security defence.
3 attempts to join the dots between security teams and end-users
We want to share three initiatives we’ve helped to drive, all of which had the common aim to join the dots and get security teams and end-users working together.
#1 – End-users become part of the cybersecurity team

We often encounter an ‘us and them’ mentality. This hinders any attempt to improve cyber security behaviours. End-users complain that initiatives lack a proper understanding of what it’s like ‘on the frontline’ and feel powerless to initiate practices that would make a real difference. One of our customers has overcome the divide by inviting every colleague to become a member of the cyber security team. Most importantly, everyone has a contact number for a named member of the security team should they need to report an incident, suggest improvements, or get help on local issues. Once a direct line of communication was set up, incident reports increased substantially, collaborative working started to compete with standard practices, and regional weaknesses were identified and dealt with quickly.
#2 – End-users want to talk about cybersecurity…

… but they resent taking time out of their hectic schedule to listen to others preach. They actually want to be included in the conversation. Imagine having a passion for music, but only being allowed to sit and listen as someone explains the chromatic scale. Colleague feedback from our Layer 8 Live workshops always include comments like “Great to have the opportunity to talk about this”, but we also regularly read: “Will wait to see if anything comes of our suggestions for improvements”. We recommended leveraging Cyber Security Awareness Month to enable one of our customers to organise a cyber security surgery: five minute slots for colleagues to have a conversation with someone in the security team. They were a tad cynical about the uptake, but they were surprised to see that 75% of the slots were booked within 24 hours and the conversations that took place significantly contributed to kick-starting culture change in their organisation.
#3 – End-users know where the vulnerabilities are

You’d be surprised about the depth of concern end-users express about secure working practices.
Our Layer 8 Live workshops always close with a checklist of three headings for participants to complete:
1. Organisational actions required to enhance cyber security.
2. Departmental actions required to enhance cyber security.
3. Personal actions required to enhance cyber security.
We always see thoughtful, detailed responses, and a general consensus in the group. Most people already have the answers; they simply don’t have the means to communicate on these issues in the workplace.
We find that enabling direct communication with the security team makes way for a massive step in engaging employees in the conversation about cyber security. More often than not, the foundation for a more effective frontline defence already exist, but the dots need to be joined up in order to set it in motion.
We talked more on this subject in our webinar ‘Creating an Effective Security Champions Network’, broadcast back in March 2017. Download the recording here {hyperlink this whole sentence}.

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

READ MORE

View our other posts and insights

Scroll to Top