Should security departments be responsible for cyber awareness?

…I thought it was genuine…

Last week a friend sent me this…

A WhatsApp message stating if I clicked I’d get £75 of Costa vouchers.

At this point I hadn’t come across the scam. But something seemed odd. My friend would never say ‘you can thank me later’.

So, my reply -‘friend, I assume you didn’t send this and it’s a scam???’.

Ah, she says, ‘I thought it was genuine’.

This friend works for a local council, handling very sensitive PII and personal financial information!

After executing a mini-awareness campaign amongst my group of friends. And sorting out whether she’d released any personal data, it got me thinking. How big is this problem?

Immediately three more stories sprang to mind:

  • A networking meeting where the head of a £5million business asks me ‘what’s GDPR?’
  • A call from the Police Cyber Crime Unit. ‘Can you help me run an awareness session for local businesses? The coffee shop on the high street just lost £30k to a CEO fraud, and it looks like they’re going out of business’.
  • My in-laws call in a panic. ‘Is there anything we can do? A friend has just been tricked out of £15k. The bank won’t repay it because she gave her two-factor-authentication code away freely.’

And I bet everyone reading this has a similar collection of tales.

So, a pretty big problem huh?

What about the cyber skills of people outside security departments?

For as long as I remember the word ‘cyber’ being used, the words ‘cyber-skills-shortage’ have accompanied it. Frequently we discuss the skills-shortage in terms of ability to recruit the right people. Training people quickly and effectively. And ways to attract a more diverse workforce.

But what about people outside of security?

I don’t intend to debate whether these people should have an increased knowledge of cyber. That debate is over and comes with a resounding yes. The question is how, and who pays for it.

Should you be paying to educate employees on cyber?

To date, almost exclusively, large corporates have led the way. And it hasn’t been easy. It’s taken hard-working, savvy, brave leaders to fight for board approval. Painstakingly trying to identify RoI metrics for security awareness campaigns. Even so they often get left with ‘two-and-six’ to spend on an employee awareness programme that’s supposed to perform the miracle of behaviour change!

This is dissatisfying at best. However, since 99% of UK businesses are SME we’re left with a terrifyingly gigantic swathe of people who get nothing!

Should it be down to you to foot the bill for this global lack of awareness? I don’t think you should be paying for it. I don’t even think you should be responsible for it. Not exclusively anyway.

 

What if cyber awareness wasn’t on your job description?

Imagine a world where your employees already had a basic understanding of cyber. Where they were kept up-to-date on emerging threats. Where they came to work with a culture of security that they demonstrated through their behaviour. Where they suggested improvements, helped you identify weaknesses and integrated security in to their processes, projects and product designs.

What difference would that make?

I believe it’s possible to have a future where the majority are cyber savvy. I believe if we join our skills, experience and resources it is possible to make this a shared responsibility.

I’ve started with a few suggestions, but I’m interested in hearing your ideas and about initiatives that are already in place:

 

Memberships bodies/organisations – what if memberships bodies and organisations provided cyber security education as part of their membership fees?

Recruiters – what if you could choose to use recruiters who upskilled candidates before their start date?

Retailers – what if retailers selling smart devices provided cyber awareness for their customers?

HR – what if the HR team was responsible for identifying individual and company cyber training requirements?

Government – what if Government was providing easily accessible support and grants for smaller businesses and charities?

Educational Establishments – what if educational establishments were identifying the UK’s broad cyber learning needs?

 

Vendors/MSP/Resellers – what if vendors, MSPs and resellers were sharing their knowledge and learning materials?

Security Departments – and then what difference would it make to you, if you were only responsible for teaching company specific practices and advanced skills?

So, are we serious about ‘killing it’ when it comes to cyber security? Do you see a future where the majority, rather than the few, are cyber savvy? If so we must do something different.

 

What we need – I’m calling for vendors, recruiters, membership organisations, MSPs, Government, education establishments, HR teams, et al. Between us we have the knowledge, materials and skills to make change happen. So let’s do something that makes a difference.

 

I’d like to know:

1 – What are the benefits of widening the responsibility for cyber security education?

2 – What ideas do you have for who could get involved?

2 thoughts on “Should security departments be responsible for cyber awareness?

Leave a Reply

Your email address will not be published. Required fields are marked *