Preserving capacity, General Tom Lawson, Chief of the Defence Staff, Keys to Canadian SAR
Issue link: http://vanguardcanada.uberflip.com/i/1508203
C M Y CM MY CY CMY K and publishes content nobody wants to consume. So, if you don't build this mind- set among your staff, nobody's going to use the resources you put in place. We've also seen challenges around or- ganizations that assign the responsibility of creating this culture to IT staff who are not behavior change specialists. When we're talking about awareness and train- ing, we're talking about changing behav- ior in adults who are often set in their ways. A properly implemented awareness program requires a multidisciplinary team of participants from HR and change man- agement, marketing, operations, and IT. Q Can you give us some examples of what an organization can do to create awareness of cybersecurity issues? Organizations that succeed consider what motivates their people. And they un- derstand that motivations come in many forms. They think about what would mo- tivate and encourage their people to par- ticipate. And it doesn't have to be mon- etary, right? Recognition from managers can be a motivator. "Thank you for com- pleting this and for doing the right thing" could go a long way. Another motivator is an opportunity to be part of the build. Survey people at the beginning, ask them what they want to learn about then build a program based on what they're interested in learning. We also find that making cybersecurity personal is an effective motivator because what people learn through this content extends past the work environment: every- body has a personal email address too. So, part of building a successful secure-aware culture is to get them to talk about cyber- security outside the workplace. One great example is material they can share with their kids to help them be safe online when they're playing video games, posting to their social media, or buying things online. Another effective strategy we have seen is establishing cybersecurity ambassadors, people across the company to officially represent cybersecurity, promote aware- ness activities and communicate with IT. A factory worker faces different threats and challenges than an office worker, and the IT team will work better if they know what matters. Q What about the hiring or onboard- ing process? Has there been change there? We've seen a lot of organizations targeting the new hires to establish security awareness from the very beginning. When new hires see their organization as taking cybersecu- rity seriously, they will adopt that mindset from the beginning. They'll want to do the right thing to impress their new leaders, so they'll be easier to influence. Q How do you spot a security-aware cultural shi in business? When do you know it's working? When people aren't afraid to ask questions if they don't know how to do something. Instead of going ahead with something that may or may not be dangerous, they'll seek guidance. In this environment, they're also not afraid to raise their hand if they've done something wrong. "Oh, oops, I sent this file by mistake. I can't retrieve it. Can we please get an action on board, so we could recover that information and prevent the damages from causing too much harm?" They're not afraid because of the consequences. They'll raise their hand. And they'll take initiative. They won't ignore something unsafe. If they walk by a printer and see a confidential document sitting in it, they shred it or find its owner. Also, they socialize best practices among themselves. When they see a peer sharing their password or adopting an insecure behavior, they will politely explain what's being done incorrectly and how to do it better. Then this cybersecurity culture be- comes infectious and starts spreading with- in the organization. Ultimately, in an organization with a se- curity-aware culture, you see people step up any and every way when it comes to cyber- security. That includes adopting new prac- tices and changing their behaviour. Q Speaking of stepping up, do you have any stats or insights from the 2022 Gone Phishing Tournament? At 2022's event, we were trying to harvest passwords with the promise of a $25 gift card. We asked, were users willing to click on a link? And once they click on a link, were they willing to share their password on a non-secure website? And we noticed that about 7% of the recipients clicked on the link because they don't think any harm could happen from clicking on a link, which is not true. About 7% of the recipients clicked on the link we sent, which then sent them to a one-question survey question and a prompt to log in with a username and password. About half of those who clicked on the link went ahead and submitted their password on our website that was not se- cured. It didn't have HTTPS, it didn't have a padlock. In many cases, the browser might even flash red and say, "Well, this site is not secure." But a $25 gift card was all it took. Q It's clear there's room for improve- ment. I think there's also room for improvement in third-party risk manage- ment. Why should an organization be concerned about third-party risk manage- ment? We see often in the news, and recently with organizations being compromised through their direct partners or the greater supply chain because they all have access to the same systems, data, and networks. And let's not forget that those third parties may be dealing with fourth parties and fifth parties. Imagine you're working for an organiza- tion, and you see an email from your sup- plier. You've been trained to check for email domains and sender domains, and they look accurate. They look what you expect them to be. But how do you know now that on the other end, this email has been compro- mised by an attacker and it's being con- trolled by an attacker? So, this is why we have to rely on secur- ing third parties to make sure that the whole supply chain is secure from the very begin- ning. We have to demand it. Would you like to listen to this interview in audio form? Be sure to check out our complete podcast catalogue at https:// vanguardcanada.com/category/podcast/ or search for us on Spotify. 28 AUGUST/SEPTEMBER 2023 www.vanguardcanada.com P E R S P E C T I V E Sponsored Content Ultimately, in an organization with a security-aware culture, you see people step up any and every way when it comes to cybersecurity.