How to create an effective cyber hygiene program

used with permission from the Microsoft Secure Blog
by Ann Johnson, Vice-President, Enterprise Cybersecurity Group

As noted in the 2016 Verizon Data Breach Incident Report, 63% of confirmed breaches involved leveraging weak, default or stolen passwords, 30% of phishing messages were opened in 2015, and 12% of targets clicked on the malicious attachment or link. Given this, organizations of all types can make significant gains in their security posture by educating their user base on best practices for digital engagement and cyber hygiene.

Yet, headlines like this recent story in Dark Reading, The Sorry State Of Cybersecurity Awareness Training, speak to the reality that user education is one of the most under-invested and under-appreciated aspects of cybersecurity. Many organizations require an annual online training program to meet compliance requirements, but rarely invest in broad, robust, ongoing training that contemplates the changing threat landscape and the vastly differing roles of end users.

I’ve seen these same organizations invest heavily in tools to defend and detect within their environment, all the while overlooking the most vulnerable part of the security infrastructure – the end user. Forbes reported “more than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74% over the past five years according to a 2015 analysis of numbers from the Bureau of Labor Statistics by Peninsula Press” (January, 2016). Therefore, organizations cannot rely solely on technology or security professionals to keep their data and infrastructure safe and secure. Threats are evolving, spear phishing is increasing, and users are being specifically targeted. It is incumbent upon the industry to also change the way we approach user education.

There are several aspects to consider to educate users:

• Where do you focus your efforts?
• What is the risk profile of your user population? Have you classified your users much like you do your data?
• Is your directory up to date? Are your privileges appropriate?
• Who is the population, i.e. are they computer literate?
• What is the user accessing, i.e. classified, sensitive of confidential data?
• What systems are they using, i.e. company issued, BYOD, managed, unmanaged?
• How does your team learn best and how do you reinforce learnings?
• How do you make complex security concepts consumable?

Create an effective cyber hygiene awareness program

1. Lead by example
   To create a program takes focus, effort and commitment at the executive level to take cybersecurity education seriously. Internal stakeholders can cite numerous studies and use the wide range of industry data points to provide a business case and justification for the training. The average cost of each lost or stolen record containing sensitive information has reached $158USD according to the Ponemon Institute. And this figure does not include loss of business and customer loyalty from damage to the brand. Justifying the benefits of cybersecurity awareness is straightforward. Getting support and buy-in at the highest levels of an organization though more challenging, is key for setting the tone both for adherence to the effort as well as continued investment in it.
2. Keep it top of mind
   An annual program may be a good start but the lessons learned are too soon forgotten and are not likely to turn into good habits. To truly create a sustainable program, training needs to be ongoing, not just annual. It must be flexible enough to accommodate learnings from new security events and attack types. Outside of the standard red/blue teaming efforts, web based training, employee awareness posters, and scenario drills for the average user are all good methods for staying in the forefront of end users’ minds and practice. In addition, put in place an outspoken executive sponsor for security awareness. It takes someone with enough credibility to foster trust and ongoing dialogue with the CISO as well as employees, on the impact of best practices. Taking it a step further for larger organizations, I recommend creating cyber security champions at the department level to maintain the culture throughout the company’s end user populations and geolocations. If you want to start small, something as simple as requiring privacy screens for anyone handling sensitive data is a good way to raise awareness and encourage employees to educate one another on best practices.
3. Make it compulsory not perfunctory
   For many employees, online training is a time investment not well spent that takes away from bigger priorities. However, the task of completing frequent security training needs to become a vital job requirement, and viewed as critically important. This can potentially be accomplished by communicating broadly on the number of persons trained and sharing metrics about the security posture of each department, month to month, as well as reporting your security program’s relative standing compared to other training programs in the organization.
4. Keep it simple
   If a full-blown program is not within reach right away, you can still make significant gains with awareness of the top three security risks. Weak passwords, phishing and thoughtless clicking on attachments, against better judgement, are still the primary ways in for attackers. Remind users of best practices to avoid becoming a victim, and explore ways to automate enforcement so that you can limit the risk to others from infected devices.

There is no silver bullet to addressing rapidly increasing threats. The combination of risk based policies, technology controls, solid audits and user education can go a long way at mitigating your organization’s risk.