Cyber awareness: how to rise to the challenge?

WHY WE NEED TO RAISE AWARENESS cyber

The ANSSI IT hygiene guide reminds us how important awareness is in establishing and maintaining a good level of security:

"Each user is an integral link in the information systems chain. As such, upon joining the entity, they must be informed of security issues, the rules to be followed, and the correct behaviors to adopt in terms of information systems security through awareness-raising and training initiatives."

This awareness of basic rules is all the more essential as practices are evolving in a direction that exposes companies to greater exposure to threats of all kinds (source: CLUSIF MIPS study, 2020 edition):

• 36% of companies allow external access to their IT systems from uncontrolled devices (internet cafes, personal devices);
• 70% allow employees to access the network via their personal tablets or smartphones (BYOD);
• 71% admit to using external instant messagingservices (Skype, Messenger, etc.);
• 70% allow the use of external social networks (Facebook, LinkedIn, etc.).

Employees of any company are therefore all susceptible, through inadvertence or ignorance, to creating vulnerabilities, with an endless list of bad practices:

• passwords that are too simple or written down on paper;
• disclosure of sensitive information on social media;
• using a laptop without a privacy screen when traveling by train...

WHY IT IS DIFFICULT TO RAISE AWARENESS ABOUT CYBER RISKS

The first reason is organizational. Since the role of CISO is cross-functional, cybersecurity awareness programs cannot take up all of their working time. According to the 2020 edition of the CLUSIF study "IT threats and security practices in France," this task accounts for only 14% of a CISO's daily work.

The CISO is therefore faced with a time constraint, which is sometimes compounded by budgetary constraints. But beyond these considerations, the real challenge for the CISO in terms of raising awareness is dealing with the human factor.

• The attitude of employees

There are those who think they already know everything, those who don't feel concerned by cybersecurity, and even those who refuse to follow instructions because they are reluctant to change... Faced with such a variety of behaviors and the frustration they can cause, it's not always easy for the CISO to stay calm and motivated!

• The role of the CISO

Raising awareness is like launching an advertising campaign: you need to identify your targets, find the right message for each of them, and then choose the right channels. However, most CISOs still have a technical background, which is why they may find themselves facing their own personal challenges (shyness, doubts about their creative potential, etc.).

As a CISO, how should you structure your cybersecurity awareness program?

Cyber awareness, like many projects involving change management, is a matter of small steps, but also of effectiveness: regardless of the organization put in place and the budgets allocated, it only works if users feel concerned and responsible! To achieve this, CISOs have several levers at their disposal.

Find support

• Senior management

As part of the dialogue they establish with senior management, every CISO must address the issue of cyber awareness.

Does the subject not seem to interest the COMEX? It's up to the CISO to be resourceful! Faced withbudgetary constraints, it is up to them to organize workshops or presentations at a lower cost.

Does the COMEX doubt the value of the proposed actions? Never mind: the CISO can begin raising awareness by setting traps for executives (for example, by sending them a USB drive) and showing them by example what can happen when people are not careful.

• The communications department

How can cybersecurity messages be made accessible and even fun? Which formats should be prioritized? By communicating with the communications department, the CISO maximizes their chances of obtaining creative and technical assistance.

The icing on the cake: this collaboration is also an opportunity to raise awareness within the department about the risks that some of its practices expose the company to (such as using web agencies without informing the IT department, for example).

• The HR department

Cybersecurity is still widely presented as a constraint, most often in the form of an IT charter that employees must sign when they are hired. However, many employees, even though they are aware that they have committed to complying with rules, quickly tend to forget them... HR is therefore a valuable ally for the CISO, who can call on them throughout the employee's entire employment cycle.

• Safety champions, or early adopters

Which managers are most receptive to discussions about cybersecurity? Who are the best performers in the teams? The CISO must identify them, as these "champions" will play a key role in spreading the message and promoting best practices.

As in marketing, individuals who are the first to adopt a new trend succeed in bringing the silent majority, made up of people who tend to be "followers," along with them... until the movement eventually reaches even the most resistant!

Use existing resources

A security awareness campaign does not have to be expensive to be effective. Faced with a lack of resources (and even time), CISOs should not hesitate to use existing awareness-raising tools or to link their actions to those undertaken by other departments. Here are two examples.

• Video campaigns: on YouTube, the public interest group ACYMA (Actions contre la malveillance, or Actions Against Malicious Behavior) offers free awareness videos on essential topics (using passwords that are too simple, plugging security holes by performing updates, phishing, etc.).
• Goodies: Does the company plan to distribute mouse pads, calendars, or pens? These are inexpensive items that the CISO can use to convey short messages, and that employees will see throughout the day.

Bet on what works!

The failure of cyber awareness campaigns is often due to the lack of relevance of the chosen means of communication. The CISO must therefore sort through the media and channels at their disposal, using the following criteria.

• Level¹: simple, top-down information via email, newsletter, conference, or poster. These methods are not always effective: without stimulation, employees tend not to retain the message... or even listen to or read it.

• Level²: Information presented in a slightly more dramatic way, for example with educational videos. More accessible than written content and more engaging, this format makes it easy to disseminate messages on a regular basis (for example, by playing videos on screens in break rooms) and has a greater impact on viewers.

• Level³: experimentation, with practices such assending a booby-trapped file, so that employees can then be shown why opening it could be dangerous for the entire IT system. This level also includes "shock" operations, such as hacking phones with a text message during a convention. Whatever strategy is used, the beneficial effect remains the same: employees feel concerned because they have lived through the experience and are therefore more likely to remember the best practices to adopt.

• Level⁴: Gamification, or the use of serious games, which is based on learning through experience, with the employee playing an active role. Original and interactive, this format represents a significant investment, but has the advantage of appealing particularly to Generation Y.

Finally, creating a visual identity is a plus! It will enable employees to quickly spot cybersecurity messages, but also to familiarize themselves with the concept and integrate it more easily into their daily lives.

‍