Seven mistakes to avoid when managing your information security awareness program

23 October 2019

Farah Chamseddine, Manager, Cyber |

Organisations of all sizes across various industries are experiencing information and cyber security incidents and breaches where human error is the prevailing cause.  

These attacks are tarnishing the reputation of their business, disrupting their operations and services, and causing significant financial loss.

According to the latest BDO and AusCERT Cyber Security Survey results, phishing attacks are the most common incident experienced, even though more than 60% of participants had implemented a cyber security awareness program. So why could information security awareness programs be ineffective and how can you improve your organisation’s program?

Here are seven mistakes that should be avoided when rolling out an information security awareness program to ensure its effectiveness and success.

1. Senior management is not committed to the program

Action is needed from senior management to promote a security-aware culture. It is important to highlight that everyone plays a role in cyber security and protecting the business. You can educate your employees on cyber security threats, risks, and countermeasures, but they also need to understand the significant impact they have on the organisation’s performance.

Changing the culture takes time and effort and requires continuous improvement. If the board is not satisfied with the results of the program, they need to recognise that the solution is to update the program based on lessons learned, rather than stopping the project.

Additionally, senior management need to lead by example. Consider this, if the CEO insists on bypassing the internal procedure of identity verification to unlock his account, the helpdesk agent might consider that circumventing policies and procedures is acceptable. Executives can demonstrate their commitment to cyber security by getting key decision makers (e.g. a C-level executive) to send the email that launches the education program. Additionally, senior management needs to support other relevant manager roles in the organisation to promote an information security culture within their areas of responsibility.

2. Program is not risk driven

Teams and departments have different business functions and may, therefore, encounter different threats and risks. An organisation’s finance team could be targeted to issue fraudulent bank transfers (i.e. business email compromise attack), while the customer service team might be targeted by scammers pretending to be an internal employee to gain unauthorised access to systems. That is why it is essential to consider whether the training provided to your organisation is fit for purpose. For instance, training provided to security guards that is aimed at protecting restricted areas will not be useful for software developers who need to know secure coding principles.

Consequently, it is important to understand the assets you are trying to protect, identify the possible threats and risks, and then customise your material for the relevant audience. This ensures your audiences are familiar with the scenarios presented and can relate to the advice and countermeasures you are trying to deliver.

3. Overwhelming your audience

When organisations realise the need to deliver awareness training, they often try several methods to improve the information security culture. This can overwhelm the employees to the point where they cannot digest and comprehend the messages the program is trying to deliver. Limit the number of topics discussed. This will enable you to focus on providing enough detail to thoroughly deliver the topic, and then provide supporting real-world examples and scenarios. This is why it is best to  talk about few topics every four to six months, rather than launching the program with all the modules and running it every one or two years. Additionally, avoid overwhelming your employees with technical terminology as your target audience may have different backgrounds or experience.

4. Unattractive presentation of content

If you want to captivate and inspire your audience, then your training content needs to be visually appealing. Even if your training and awareness content covers new trends and interesting tips, powerful visuals should be used to engage the audience – avoid using generic imagery (e.g. a person behind a laptop in a hoodie) as it does not standout and does not warrant your employees’ attention. This is a great opportunity to promote the program by involving people from other departments, such as marketing or media, to assist in keeping the content fresh and attractive.

5. Wrong KPIs to measure program performance

If you have conducted a number of phishing exercises and only 10% of your targets failed the test, it does not necessarily reflect a mature level of awareness among your employees, as your phishing emails may be too easy to detect compared to the sophistication of real-world attacks. This can mean that many people are aware of the standard phishing emails. Try to use phishing scenarios similar to your employees’ daily processes (e.g. financial transactions for the finance team), environment (e.g. free coffee from a nearby café), and their job description (e.g. project management course for project managers).

 It’s also important not to target everyone in the organisation at once, as this will show inflated success rates. A large percentage of your employees may not even have regular email access if they work offsite. If the targets do not take the bait, the measurement of the awareness level is inaccurate as these employees may be targeted by other social engineering methods. The solution is to target specific teams and departments at a time with relevant social engineering techniques, which will provide you with results pinpointing areas of improvement.

6. Not updating your employees on program results

If you engage your employees, they will attend training, read internal education pieces and report phishing emails. They will also wonder how they are performing, so it is important to provide them with the results of phishing exercises and an opportunity to provide feedback. This empowers and inspires them to make a change.

Another way to keep employees engaged is to send emails of recognition and appreciation. Did a team achieve 100% rate of attendance? Did an employee report a phishing test? Let their departments or other teams know to drive awareness and improvement.

7. Creating a culture of fear around information security

Picture one of your employees clicking a malicious link and sharing their username and password, only to realise it is a fraudulent webpage. What is more important? Punishing the employee, or knowing about the accident to respond appropriately and contain the incident?

Focusing on the negative consequences will drive employees to hide their mistakes. Employees need to feel confident and supported in reporting suspicious activities they observe. This can be achieved by educating employees about the importance and benefits of incident reporting, and providing them with the right channels to report incidents (e.g. dedicated email, hotline).

Creating a positive experience around incident reporting will help you achieve your ultimate objectives and long-term strategies such as minimising interruption to business services, preventing data breaches, and achieving compliance to data breach reporting requirements.

If you would like to discuss your information security awareness program, get in touch with a member of the BDO Cyber Security team.