How to Cultivate Security Awareness



Your IT policies and procedures are pristine. All of your software is up to date, and your firewalls are first class. Wait — did Shirley in Accounting just open a link to a cat video from an unknown sender and accidentally expose your network to a virus?

Maybe Shirley attended the early morning meeting four months ago, in which everyone was subjected to a 50-slide PowerPoint presentation on security, but honestly, it was boring. The information wasn’t as sticky as the doughnuts you used to entice them to be there.

Even though your organization has defined its security goals and documented internal controls, one crucial piece is still missing: employee buy-in. While organizations often turn their focus to outsider threats, many experts agree that security awareness training has been underestimated in today’s technological landscape — particularly since 91 percent of cyber attacks start with a spear phishing attack.

So how do we get Shirley to be a security champion?

Create a cyber security culture.

For complete buy-in, direction needs come from the top, be consistent, and be blameless. Remember: the success of a security awareness program is measured by the positive habits it helps to form in employees. The goal is to shape behaviors that become second nature. Send weekly newsletters with interesting facts, or highlight an employee’s success in thwarting an attack. Create dynamic, interactive content that builds on employee knowledge. Keep in mind that there is no deadline for an effective security awareness program. It’s an organic process that takes time and dedication.

At Securance, we offer social engineering assessments, such as email phishing, phone pretexting, baiting, and tailgating to reveal weaknesses in security awareness and physical controls. We document any flaws we identify and provide actionable recommendations for remediation, so our clients’ employees become a strong line of defense against security breaches.