Cyber risk awareness: how to rise to the challenge?

While the ANSSI's hygiene guide advocates raising user awareness of basic IT security best practices, the reality is enough to make CISOs tremble. According to CESIN's January 2020 cybersecurity barometer, employees remain difficult to mobilize. 45% of companies consider that their staff do not follow recommendations! So, what solutions are available to CISOs to raise awareness and engage teams? Towards effective cyber risk awareness?

Share

Awareness is not an option in cybersecurity

In many organizations, CISOs would have good reason not to make cyber risk awareness a priority. But this would be a mistake, given the growing importance of the issues at stake.

Why is raising awareness so complicated?

The first reason is organizational. The CISO's job is cross-functional, which means that awareness-raising cannot take up all his or her working time. According to the 2020 edition of CLUSIF's "Threats and security practices in France" study, awareness-raising accounts for just 14% of the CISO's day-to-day work.

So, first and foremost, CISOs have to deal with time issues, to which budgetary constraints can sometimes be added.

But beyond these considerations, the real challenge for CISOs when it comes to awareness-raising is to deal with the human element, with two difficulties in mind.

  • Employee attitudes

There are those who think they already know everything, those who don't feel concerned by cybersecurity, and even those who refuse to follow instructions out of a reluctance to change...faced with the variety of these behaviors and the irritation they can generate, it's not always easy for the CISO to keep calm and motivated!

  • The posture of the CISO

Raising awareness is like setting up an advertising campaign: you have to identify your targets, find the right message for each of them, and then choose the right channels. However, CISOs still tend to have a technical profile, which is why they may be confronted with their own personal difficulties (shyness, doubts about their creative potential, etc.).

 

The stakes are becoming too high to ignore

Even if raising awareness of cyber risks is a challenge, CISOs must go for it! In fact, this is the meaning of the second measure in the ANSSI guide, which reminds us of the extent to which raising awareness contributes to the implementation and maintenance of a good level of security:

"Every user is an integral link in the information systems chain. As such, as soon as they join the entity, they must be informed of the security challenges, the rules to be respected and the correct behavior to adopt in terms of information systems security, through awareness-raising and training initiatives."

Raising awareness of these basic rules is all the more essential as practices evolve in the direction of greater exposure of companies to threats of all kinds (source: CLUSIF MIPS study, 2020 edition, cited above):

  • 36% of companies authorize external access to their information systems from uncontrolled workstations (cybercafés, personal workstations).
  • 70% of companies authorize employee access via personal smartphones or tablets (BYOD)
  • 71% admit to using external instant messengers (Skyper, Messenger...)
  • 70% authorize the use of external social networks (Facebook, Twitter, Linkedin...)

In practice, therefore, employees in any company are all liable, through inadvertence or lack of awareness, to generate vulnerabilities, with an endless list of bad practices: passwords that are too simple or written down on a piece of paper, disclosure of sensitive information on social networks, use of a laptop without a privacy screen when traveling by train, and so on.

In the face of such more or less conscious blunders, the right option is certainly to raise awareness, but more precisely to raise awareness intelligently.

 

CISOs must combine awareness, appropriation and acculturation

Like many projects involving change management, raising awareness of cyber risks is above all a question of taking small steps. But it's also a question of effectiveness: whatever the organization in place and the budgets allocated, awareness-raising only works if users feel concerned and responsible! To achieve this, CISOs have several levers to activate.

 

Finding support

Since cybersecurity is everyone's business, why should the CISO be the sole person responsible for raising awareness? Here's a list of support he can usefully seek, at different levels of the organization.

  • Top management

As part of the dialogue with management, every CISO is bound to raise the issue of awareness. Doesn't the COMEX seem to be enthusiastic about the subject? It's up to the CISO to come up with a ruse! Faced with the budgetary argument, it's up to him to deal in time slots, during which he can organize workshops or speeches at lower cost. COMEX doubts the value of the proposed actions? No problem: the CISO can begin his awareness-raising work by trapping the executives (for example, by sending them a USB key), and demonstrating by example what can happen when individuals fail to be cautious.

  • Communication department

How do you make a message about cybersecurity accessible, or even fun? What formats should be used? By talking to the communications department, the CISO has every chance of getting creative and technical help. The icing on the cake: this collaboration is also an opportunity to make the department aware of the risks to which some of its service practices expose the company (such as using the services of web agencies without informing the IT department, for example).

  • The HR Department

Cybersecurity is still largely presented as a constraint, most often in the form of an IT charter that employees must sign when they are hired. However, many employees, even if they are aware that they have committed themselves to respecting the rules, tend to forget them very quickly... HR is therefore a valuable ally for the CISO, whom he can call on throughout the employee's career cycle (arrival, transfer, end of contract).

  • Safety champions, or early adopters

Which managers are the most receptive to talks about cybersecurity? Who are the good students in their teams? The CISO must identify them, because these "champions" will carry out part of the evangelization mission on his behalf, ensuring the spread of messages and best practices. As in marketing, the individuals who are the first to adopt a new trend succeed in drawing the silent majority in their wake, made up of people with a more "follower" temperament... until the movement finally reaches the most resistant!

 

Use existing resources

Raising awareness doesn't have to be expensive to be effective. When faced with a lack of resources (and even time), CISOs should not hesitate to use existing awareness-raising tools, or to graft their actions onto those undertaken by other departments. Here are two examples:

  • Video campaigns: on Youtube, the public interest group ACYMA (Actions contre la malveillance), better known under the name "Cybermalveillance", offers free awareness-raising videos on essential subjects (using a password that is too simple, plugging security loopholes by updating, phishing, etc.).
  • Goodies: are you planning to hand out mouse pads, calendars or pens? These are inexpensive aids that the CISO can use to get brief messages across, and which employees will keep in front of them all day long.

 

Focus on what works!

The failure of cyber risk awareness campaigns is often due to the irrelevance of the chosen means of communication. CISOs therefore need to sort through the various media and channels at their disposal, using the following criteria.

  • 1st level: simple, top-down information, by e-mail, newsletter, conference or poster. These methods are not very effective: without being stimulated, employees tend not to retain the message... or even listen to or read it.
  • 2nd level: information with a little more staging, for example with instructional video. More accessible than written content and more engaging, this format makes it easier to disseminate messages on a regular basis (for example, by running videos on screens in the break room) and makes a stronger impression.
  • 3rd level: experimentation, with practices such as sending a booby-trapped file, so as to be able to explain to employees afterwards why opening it could be dangerous for the entire information system. This level also corresponds to "shock" operations such as hacking phones with an SMS during a convention. Whatever stratagem is used, the beneficial effect remains the same: employees feel involved because they have lived the experience, and are thus more likely to remember the best practice to adopt.
  • 4th level: gamification, or the use of serious games, based on experiential learning, with employees as full players. Original and interactive, this format represents a significant investment, but has the advantage of appealing particularly to Generation Y.

Finally, the creation of a visual identity is a plus! It will not only help employees to quickly identify cybersecurity messages, but also to get to grips with the concept and integrate it more easily into their daily lives.

Discover Tenacy

Tenacy is the first cybersecurity management solution, designed by CISOs to help CISOs in their organization. A Saas-based, adaptable and collaborative platform, it not only makes it easier for CISOs to collect data from their teams, but also frees up their time so that they can devote more time to core issues such as awareness-raising.

Contact us for a demo!