After several years of running phishing programs and working with other organization's on theirs, I'm starting to notice a trend. Sooner or later everyone falls victim to a phishing assessment. Heck, even I fell victim to a phishing assessment once, and it was my own assessment (happy to share that story, but the price is a beer at a local con). Here is the interesting part though, most people only fail once. It is almost as if failing a phishing test is a rite of passage, once you fall victim you truly remember the incident, rarely to ever fall victim again. The majority of people who I see falling victim each month are new hires. As they are new to the organization and new to awareness, they too...
One of the ideas I pulled from John Kotter's book Leading Change was a suggestion on Human Resources. Have your HR team align performance evaluations, compensation, or promotions based on peoples' security behaviors. This does two things. First, it increases motivation because people see an actual, tangible gain by changing their behaviors. But even more importantly, Mr. Kotter points out that this demonstrates that the leadership is serious about security, that they want to make secure behaviors part of the organization's DNA. I thought this was a great idea. Here are some examples of metrics your HR could use to track employees and staff.
- Employee had no security violations in past 12 months
- Employee successfully completed all awareness training
- Employees on their own reviewed online profile to confirm
I just finished the excellent book Switch: How to Change Things When Change is Hardby Chip and Dan Heath. Similar to John Kotter's book Leading Change this book is ultimately about changing behavior. While Kotter's book is strategic and focuses on change in large organizations, Switch is more tactical and at the individual or small group level. Switch is very easy to read, backed by amazing research, references and funny stories. I highly recommend this book for any security awareness officer. Some key take aways.
1. The book breaks down...
Folks, I'm excited to announce that SANS MGT433 (Building a High-Impact Awareness Program) is coming to Canberra, Australia 18/19 March next year. This will be the first time this intense two-day class has ever been taught below the equator. If you are Down Under and your organization is building a new security awareness program or looking to pump-up your existing one, I highly recommend you don't miss this opportunity. Not only will you learn from the collective wisdom of hundreds of security awareness officers, this is a fantastic...
December's OUCH! is out. For this month's security awareness newsletter we decided to cover Anti-Virus. Guest Editor and malware expect Jacob Williams walks you through exactly what anti-virus is, how it works and most importantly its limitations. Ultimately our goal is for people to understand that while anti-virus is an important part of your cyber protection, it cannot detect nor stop everything. You, combined with technology, are the best defense in today's online world. You download and share OUCH! with your friends, family and co-workers and can access it in over 25 different languages.
Download OUCH! - http://www.securingthehuman.org/ouch