Organizations around the world provide security awareness training for their employees. Normally this is provided for new starters and then a refresher every 12 months or so, to ensure that their employees are able to access corporate systems and applications without the threat of anything bad happening to them like, for instance, ransomware.
It’s not going very well, is it?
Go to a cyber security expo, whether in person or virtual and there will be two themes that are touted… either you need more tech or you need to be able to communicate to the board. The tech is a separate issue that demands its own attention but for now, I do want to focus on the message to the board as we cyber security people do get this wrong.
The members of the board are not there by default. These people are leaders in their chosen fields and are aware of their responsibility to the success of their organization and just as importantly, to the success and welfare of its employees. They have an understanding of security practices and like us, are overwhelmed with frequency of ransomware attacks occurring almost daily. They have invested time and effort to provide security awareness training to their staff. This is something that organizations have been doing for many years. It was common practice 20 years ago.
The problem here is that organizations are providing this training for their employees at a time when everyone has access to the internet. Not just board members and employees, but their siblings.. their children, their cousins, their neighbors. Consider the following…
Aimee is seven years old and wants to look at ponies. Her mom lets her get on her ipad and Aimee clicks on an app that takes her to a website where she can look at ponies. She gets a banner that says we use cookies for metrics and to collect information for our marketing and analytics. Are you okay with this? Poor Aimee is now having to deal with words and acronyms like analytics, marketing, GDPR, enhancement, functional and other words which have many syllables. The only word she recognizes here is cookie. She asks her mom, ‘Mom, the ipad wants a cookie, do we have any in the cupboard to crumble up and push through the hole on the side’.
All Aimee wants is to look at is a pony. Nothing more. And yet she is being overwhelmed by all of this. She will not receive any formal security awareness training until she is much older and employed or at a university where she will have access to many libraries with different classification levels. Frankly I think it is terrible that websites choose to frighten children like Aimee with things like GDPR. The poor girl will be scarred for life.
With this in mind, it is any wonder that organizations are so overwhelmed when they are the champions of security awareness? This has to change.
I was on an event last year with James Stanger, Chief Technology Evangelist and all-round good bloke at CompTIA, where I raised this for the first time. I have been involved with law enforcement in North America through my work with NuVida Data Forensics to run programs in schools to educate students on cyber bullying and cyber security awareness. After talking with James, I became convinced that security awareness needs to be more formalized and to target kids at school. As cyber security professionals we need to ensure we push governments to develop programs that can become embedded as part of the school curriculum.
One of the reasons why I chose to join Lisa Ventura at the UK Cyber Security Association is to promote change in exactly this area, and to work with her, with education, and with government organizations to bring about this change. I believe this should be a core mission for the UKCSA to champion change in this area and I am keen to help make this happen.
It is no secret that kids, teenagers and young adults are using a plethora of platforms to communicate, network and share. We need to give them the tools and knowledge to protect them from a much earlier age and own the responsibility as a community to ensure security awareness is paramount for everyone, not a requirement for corporates to comply with.
Author Biography – John Rouffas
John is a Non Executive director for forensic and risk startup companies and is presently a Senior Director with Ankura. He has worked with critical infrastructures in the United States and the UK, helping bridge the gap between OT and IT security. He is known for developing security operations centres for US agencies and has been a CISO for a major telecom as well as startup companies in energy and fintech.