Users have a critical role to play in their organization’s security and so it’s important that security rules and the technology provided enable users to do their job as well as help keep the organization secure. This can be supported by a systematic delivery of awareness programs and training that deliver security expertise as well helping to establish a security-conscious culture.

People should be at the heart of any cyber security strategy. Good security takes into account the way people work in practice, and doesn’t get in the way of people getting their jobs done. People can also be one of your most effective resources in preventing incidents (or detecting when one has occurred), provided they are properly engaged and there is a positive cyber security culture which encourages them to speak up. Supporting your staff to obtain the skills and knowledge required to work securely is often done through the means of awareness or training. This not only helps protect your organization, but also demonstrates that you value your staff, and recognize their importance to the business.

Users have a critical role to play in helping to keep the organization secure, but they must also be able to effectively do their jobs. organizations that do not effectively support employees with the right tools and awareness may be vulnerable to the following risks:

• Removable media and personally owned devices: Without clearly defined and usable policies on the use of removable media and personally owned devices, staff may connect devices to the corporate infrastructure that might lead to the inadvertent import of malware or compromise of sensitive information

• Legal and regulatory sanction: If users are not aware and supported in how they handle particular classes of sensitive information, the organization may be subject to legal and regulatory sanction

• Incident reporting culture: Without an effective reporting culture there will be poor dialogue between users and the security team. This is essential to uncovering near misses and areas where technology and processes can be improved, as well as reporting actual incidents.

• Security Operating Procedures: If security operating procedures are not balanced to support how users perform their duties, security can be seen as a blocker and possibly ignored entirely. Alternatively, if users follow the procedures carefully this might damage legitimate business activity.

• External attack: Since users have legitimate system accesses and rights, they can be a primary focus for external attackers. Attacks such as phishing or social engineering attempts rely on taking advantage of legitimate user capabilities and functions.

• Insider threat: Changes over time in an employee’s personal situation could make them vulnerable to coercion, and they may release personal or sensitive commercial information to others. Dissatisfied employees may try to abuse their system level privileges or coerce other employees to gain access to information or systems to which they are not authorized. Equally, they may attempt to steal or physically deface computer resources.

Produce a user security policy: Develop a user security policy, as part of the overarching corporate security policy. Security procedures for all systems should be produced with consideration to different business roles and processes. A ‘one size fits all’ approach is typically not appropriate for many organizations. Policies and procedures should be described in simple business-relevant terms with limited jargon.

Establish a staff induction process: New users (including contractors and third party users) should be made aware of their personal responsibility to comply with the corporate security policies as part of the induction process. The terms and conditions for their employment, or contract, should be formally acknowledged and retained to support any subsequent disciplinary action.

Maintain user awareness of the security risks faced by the organization: All users should receive regular refresher training on the security risks to the organization. Consider providing a platform for users to enquire about security risks and discuss the advice they are given. On the whole, users want to do the right thing, so giving them guidance to put security advice into practice will help.

Support the formal assessment of security skills: Staff in security roles should be encouraged to develop and formally validate their security skills through enrolllment on a recognized certification scheme. Some security related roles such as system administrators, incident management team members and forensic investigators may require specialist training.

Monitor the effectiveness of security training: Establish mechanisms to test the effectiveness and value of the security training provided to all users. This will allow training improvements and the opportunity to clarify any possible misunderstandings. Ideally the training provided will allow for a two-way dialogue between the security team and users.

Promote an incident reporting culture: The organization should enable a security culture that empowers staff to voice their concerns about poor security practices and security incidents to senior managers, without fear of recrimination. This should be reciprocated with a culture where security professionals acknowledge that security-related effort by non-security staff is time away from their work, and is helping to protect the organization.

Establish a formal disciplinary process: All staff should be made aware that any abuse of the organization’s security policies will result in disciplinary action being taken against them. All sanctions detailed in policy should be enforceable at a practical level.

increased trust and loyalty to your organization

earlier detection of those incidents that are often not picked up by technology

an environment where individuals feel safe (and are encouraged to raise problems and voice new ideas early) will make your organization more effective

• Encourage senior leaders to set the tone when it comes to cyber security. If senior leaders ignore security policies and processes, or ask for ‘special treatment’ in some way (such as requesting a different device to those issued as standard), it sends a signal to everyone else in the organization that seniors don’t consider the rules fit for purpose, and that it’s acceptable for staff to try and bypass policies.

• Talk to your staff, understand what their job involves on a day to day basis, and try to understand their perspectives, workflow and pressures in order to learn what barriers there may be to performing certain activities. It is only by knowing about and understanding what may be preventing people from following security procedures and practices that you can work to remove those barriers. Learn from this knowledge to help improve your systems and ensure people can do their jobs effectively.

• Ensure people with the knowledge of local working environments are included in security policy making. Ensure that policies and processes are fit for purpose and proportionate, and that you provide routes for people to challenge processes that don’t work well for them in practice. Organizations where people feel safe challenging the way things are done are known to be more innovative, and better able to cope with the unexpected.

• Establish processes by which issues can be reported within the organization, and ensure that people know what these processes are and are encouraged to report issues. Build up trust within your organization by listening to reported issues, responding positively to them in a fair manner and then involving your staff in the process of rectifying the issue. Many incidents are only ever detected by people, and if they feel they trust the organization then they are more likely to report when they suspect something is wrong. Early detection of incidents is crucial in limiting the impact.

• Don’t stigmatise mistakes and prevent individuals or teams being singled-out for blame; this will make people less reluctant to report incidents the future. Any security incident should be regarded as an opportunity for self-improvement of the individual(s) and the organization.

• Acknowledge that the effectiveness of awareness campaigns may take time. Allow enough time to pass before analyzing the impact of any awareness work.

• Ensure that your messages are relevant to your staff and tailored to your organization. Communicating messages that are irrelevant, unachievable or negatively impact their ways of working will not have the desired results, and may have negative impacts as it shows a lack of appreciation of your staff needs. If people are having to find workarounds to your security processes and controls to get their jobs done, then they likely already know they are breaking the rules and more awareness isn’t going to help without fixing the underlying issues.

• Focus on positive messages around what your staff can do to help, rather than just the consequences of them doing something they shouldn’t. Using fear or focusing on the threats to motivate staff behaviors doesn’t work well, in fact it can have the opposite effect, leaving people feeling disengaged.

• Understand that awareness is only the first step. Just because you make people aware of the risks and what to do about them, doesn’t mean that they will perform those behaviors, or are able to. That could require more work to understand any technical or cultural barriers, and potentially the development of an alternative solution that works for your organization.

• Ensure senior leadership are involved in the awareness campaign. If it’s obvious that they are not following the messages (through their actions or otherwise), then this will quickly undermine the campaign’s effectiveness.

• Understand and prioritize the cyber security knowledge and behaviors that individuals in your organization need before developing or procuring any training solutions. If you are looking at buying ‘off the shelf’ training, make sure it meets your requirements and will work well alongside your organization’s technical security controls.

• Highlight the benefits of training to your staff, be clear about how the training will help not only them, but also the organization as a whole. This will help show your staff that they are valued by the organization, building a sense of loyalty. Staff that care about the organization they work for are more likely to want to help it achieve its goals, from a security perspective this may materialise, for example, through staff wanting to report necessary security workarounds they have to do in order to get their work done.

• Deliver training in small, frequent chunks. Consistent small messages are more digestible and more effective than an hour session once a year. Listen to the feedback that your staff provide about recent training programmes, and use this information to adapt future programmes.

• Avoid repetition, the same training video used year after year will lead the staff to think little importance is being placed on the training. If staff think that seniors have given little thought to the training, then those participating will not be fully invested.

• Ensure trainers have sufficient knowledge of the subject and can relate it to the trainees everyday work. If trainees think they know more than the trainer (or perceive them to be out of touch), they will question the importance of the training and why they couldn’t get someone more appropriate to do it. Consider asking senior management to champion the training.