Just as every organisation is different, security awareness is different for every organisation. And all businesses need to consider their definition of security awareness as a vital element in their overarching strategy to try and protect themselves against cyber attacks.
Why it’s important to define security awareness for your business
The first reason is pretty straightforward: it’s a legal requirement.
Since GDPR came into force on 25 May 2018, all EU businesses (and those outside the EU who manage or process EU citizens’ data) are required to comply with the regulations around privacy laws and reporting breaches. At the time of writing, our future position within the EU is “a little unclear” but as GDPR is the gold standard of protection, it’s extremely unlikely that the UK won’t maintain the same regulatory requirements (if and when we leave the EU).
The PCI DSS (Payment Card Industry Data Security Standard) too, which applies to merchants globally, requires all companies that hold and process credit/debit cards to “implement a formal security awareness program to make all personnel aware of the importance of cardholder data security”.
Defining security awareness in your organisation is also important for staff. Information security shouldn’t fall to one person or one team, everyone has a part to play especially as 88% of breaches in the last two years (https://www.verdict.co.uk/uk-data-breaches-human-error/) have been the result of human error. Without clarity over their roles and responsibilities, staff are unlikely to behave accordingly because they don’t know what those roles and responsibilities are!
Another reason is that being forced to sit down and think about security awareness in their own organisation is often the point at which many people realise that security awareness is not – and often doesn’t result in – behaviour change.
The basic definition of awareness is the “knowledge and attitude of employees”, nowhere does it mention behaviour! And even when people are made aware of risks, processes and procedures, they often don’t exhibit the intended behavioural change.
To be successful, a security program needs more than just changes in knowledge or attitude, particularly when you take into account that the objective of most infosec professionals, or certainly the ones we work with, is to change behaviour. Do we then need a different definition of security awareness? One that includes memory, retention or the ability for knowledge to be recollected and then acted upon?
Benefits of defining security awareness
Defining security awareness creates clarity and that makes it easier to communicate so that everyone is on the same page. By knowing your starting point, you can confidently measure any activities designed to influence change and assess your progress too.
A clear overview can also form part of the business case for committing more resources to your information security program and making sure your training programme isn’t simply a tick-box exercise. Through our work helping people define security awareness for their businesses, we’ve seen that it can also reduce the disconnect between people and the consequences of their actions and effect real change.
And, finally – and possibly most importantly – it means you can crack on with business!
If you’d like to know more about how we can help you through training, coaching and mentoring, feel free to book in a call.