Build your team of Cyber Heroes
Imagine your organization is being hit with a phishing attack, one of the most common cyber security threats users face today. In an organization with weak cyber security culture, users might see the phishing attempt, quickly disregard it and move on about their day feeling like it’s not their problem.
“They click on a link and then feel like it’s someone else’s problem to fix,” said Theo Zafirakos, Chief Information Security Officer and CISO Coach at Terranova Security.
Organizations beginning to develop a more secure culture may see users who recognize the phishing attempt and delete the email, but who don’t care enough to send it on for someone else to investigate.
At the highest level, where security is baked into an organization’s culture, a user sees the phishing, and then makes sure the right person in information security knows about it. “This person now is not only protecting themselves, but is also protecting the organization,” Zafirakos said. “By taking that extra step to alert someone, this person becomes part of the solution to help protect the organization. By taking the time to recognize that good behavior, you create a culture of security.”
But in an age where cyber threats are growing and large organizations with thousands of globally-distributed employees only have a handful of cyber security team members tasked to protect the company, how can you train everyone, reward everyone and build up that culture of security?
Create a Security Awareness Ambassador Program
A Security Awareness Ambassador program helps organizations raise awareness about information security effectively by empowering employees – users – to help promote security awareness.
These ambassadors aren’t necessarily security professionals – in fact, in most cases they are not. Ambassadors become authorized representatives for security officials in the field that help explain security requirements so that their colleagues understand the importance of security in their role. Security ambassadors are ideally part of the business workforce who are comfortable with the risks associated with technology, and are local representatives of information security.
An ambassador program helps provide insights and knowledge of cyber threats that employees and customers face in an increasingly digital world and provide local points of contact for security awareness.
“An ambassador program is not complicated, but does require some time and effort to be effective,” Zafirakos said. “When it becomes effective, and prevents cyber-attacks, it can save organizations hundreds of thousands of dollars.”
Want to get started?
Step 1 – Apply or Nominate the First Ambassadors
Once you have identified the time commitment and other program expectations, the program benefits or incentives that can be offered, and its specific responsibilities, send out a call for applications or nominations.
Start by introducing and communicating what the Security Awareness Ambassador Program entails. Explain how employees and team members can apply to the program, encouraging them to get approval from their direct supervisor first.
Ambassadors should not be members of the information security team or in a leadership role, Zafirakos said. By drawing ambassadors from the field team instead of management, the culture of security is more like to permeate through the organization because the guidance is peer-to-peer vs. top-down.
Step 2 – Review and Select Applicants
When reviewing the applications and nominations that come in, be sure to select your initial ambassadors to represent a cross-section of locations, roles and service lines within your organizations.
“It’s not about technical knowledge,” Zafirakos said. “Look for an attitude and a desire to learn and take responsibility. Ideally you want someone who understands the region where they work, their specific department, and what challenges their colleagues are facing.”
Step 3 – Launch a Training and Mentorship Program
Ambassadors will require a training and mentoring program and you’ll position your organization well by planning at least a three-month period to get your initial batch of ambassadors ready.
Before the internal accreditation you’ll grant to your ambassadors, consider requiring each to have completed all Information Security Awareness training modules already offered by your organization, and attend security monitoring workshops led by Security Team members. Also have them complete any reading materials assigned, and deliver a security awareness presentation to their business unit as practice for becoming their team’s cyber security voice.
Eventually the ambassadors in the program will be able to train the next wave of ambassadors.
Step 4 – Host a Certification and Induction Ceremony
It’s important to publicly acknowledge not only your first group of ambassadors, but each one that comes after.
Consider hosting a ceremony or publicly acknowledging the ambassadors by the executive team of the organization. They are, after all, now responsible for being the point of contact within their teams for enhanced cyber security awareness.
Step 5 – Manage and Measure the Ambassador Program
Once you’re off and running, be sure your information security team continues to provide ongoing communication and resources to the ambassadors. Consider creating a forum for ambassadors to exchange ideas. And if ambassadors learn that they can’t remain up to the challenge, be sure to develop a way to cycle new ambassadors into the program.
“If you are serious about it, the Security Awareness Ambassador Program should be formalized,” Zafirakos said. “Even though it’s a program that tends to be low cost, it does take time and effort to get it done well. Organizations may need to allocate one person from the security department to manage the program, and maybe that will take 50% of their time, to manage it well.”
In addition to managing the program, be sure to measure its effectiveness, too. Track the number and types of inquiries or incidents submitted or reported by users to the ambassadors. Look at the number of inquiries submitted from ambassadors to the information security team.
Tracking these incidents and reports could be done through web forms, Zafirakos said, “or the existing communications and ticketing tools used to track these types of activities. Some organizations even have an internal social media site where users can submit questions.”
Where possible, have your ambassadors measure the time they spend on cyber security awareness training, presentations and handling of incident reporting.
And finally, look to see, after a pre-determined period of time, if behavior improvements are made as a result of the program. One way to do that is host a phishing simulation or quiz before the launch of the Security Awareness Ambassador Program, and then again several months into the program.
“Culture doesn’t change overnight,” Zafirakos said. “It takes time for an employee to get into the mindset and understand the consequences of their actions or their inactions. But when they do, they apply these practices at work, then at home, with their kids, and become part of the security solution.”