What will possibly be left for you to talk about with your fellow-employees once National Cyber Security Awareness Month (NCSAM) rolls around this October? Since Mid-March of 2020, every day has been cyber-awareness month for stressed-out end users and corporate cybersecurity teams.
If you work in security, you’ve probably spent the last 20 months gently – and repeatedly — reminding your suddenly-remote workforce about the dangers of phishing e-mails and the evils of public wi-fi. As COVID-19 drove more and more employees to work from home, you’ve also probably banged the drum over and over again about why employees shouldn’t discuss sensitive topics on poorly-secured videoconferencing platforms. You may have even sent out “all-employee” e-mail reminders about the risks of working in the presence of their always-listening smart speaker or even their own eavesdropping kids. So…good luck coming up with something fresh for NCSAM this year, my security-team friends.
But here’s a modest proposal: this October, instead of focusing your security awareness efforts yet again on end-users, why not put your energy into “managing up” — and making senior leaders and other “security program influencers” the primary target of your educational outreach?
“Security program influencers” are the people who influence security budgets and priorities, who “own” business processes that can bring risk to the organization, and who will play an important role (whether they know it or not) when and if your company finds itself on the wrong end of a ransomware attack or a major compromise.
Here are two areas where you can influence the security influencers in your organization this October:
- Incident preparedness: When was the last time your organization dusted off its incident response plan and actually practiced it? This October, bring together (virtually, of course) the stakeholders and leaders who are (or should be) part of your incident response plan: key business line managers, Legal, HR, Communications, as well as your IT and security colleagues. Verizon’s Incident Preparedness and Readiness Report found that only 57 percent of incident response playbooks are actually “rehearsed” annually, and many don’t even describe the roles that “non-IT” managers and executives play during a cyber crisis. Get your key security program influencers into a Zoom-room for a tabletop exercise and take good notes about what went right — and what went painfully wrong. And then update your response plan and schedule the next practice session.
- Error reduction: Some business-line managers may be reluctant to change their processes because “we’ve always done it that way,” but those processes may be leading to errors that result in data-leakage or stolen credentials. Verizon’s 2021 Data Breach Investigations Report shows that “errors” – misdirected e-mails, misconfigured permissions to shared folders and the like – are one of three root causes in a large majority of data breaches. Can e-mailing sensitive information to customers be replaced with a secure portal? Do you really need to have certain information sent or received by fax? (True story – earlier this year my kid needed to see a specialist at a local hospital, and they would only take our referral information via fax…fax! Which we sent three times – and was lost THREE times before it landed in the right hands. Lots of personal health information on that piece of paper.) Challenge your organization’s business line managers to put their processes under some overdue cybersecurity scrutiny.
Yes, you still need to communicate with end-users this coming National Cyber Security Awareness Month. But given how often you’ve already wagged your awareness-finger at your organization’s employees since mid-March of 2020, why not turn your attention to the execs and other senior leaders this time around? (And don’t forget to make the rest of the organization aware that you’re taking this approach. They’ll appreciate knowing that you’re badgering the bigshots, too.)
(Note – I work for Verizon’s security team!)