Raise cyber security awareness by eschewing routine training and doing the unexpected - Mimecast

Use employees' social media profiles to show them how easy it is to obtain their data, says Orlando Scott-Cowley

CIOs and CISOs who are trying to come up with ways of raising security awareness should steer away from routine training and instead try new, unexpected methods to catch employees' attention, according to Orlando Scott-Cowley, cyber security specialist at Mimecast.

Scott-Cowley, who will be presenting to CIOs at Computing's IT Leaders Summit next month, believes that one of the hardest things for organisations to do is to keep employees engaged when it comes to raising security awareness.

"We don't help ourselves; we send them an email saying ‘don't click on links in emails you're not expecting and then we put a link to our knowledge base or e-learning platform and say click on this', then we're surprised that they click on links," he said.

Scott-Cowley still believes that there is a place for security training, but he suggested that there are ways of making training more engaging to employees.

"Very often [security training] is a sheep dip security session and induction with a quarterly or half-a-year ‘lunch and learn', and we know that doesn't work because we know that you tell people not to click on links or to open attachments from unknown senders but they still do - and a lot of the big breaches of the last few years have been perpetrated through spear-phishing in particular," he said.

Scott-Cowley explained that around 95 per cent of all hacks and attacks start from malicious emails or spear phishing.

To tackle this, he said organisations "have to get people excited about what they're learning about" when it comes to information security.

So what other methods can CIOs and CISOs use?

"Pick on a couple of people [within the organisation] that you don't know - do some background checks and look at their social media profiles, tell them what you've found out about them and tailor a conversation based on this," Scott-Cowley suggested.

"That's what attackers will do - they'll look at the middle management layer and tailor things specifically to those individuals," he added.

The idea is that then, those people will be more aware of what information is easily obtainable for hackers, and that they will start thinking about the way they use social media and other online services differently. In turn, this would make them think differently about the way they work and make them more aware of external threats.

Another suggestion of Scott-Cowley's was to ensure that training isn't overly regimented.

"Don't just do ‘lunch and learn' quarterly sessions, mix it up a bit, have a security month - Facebook famously have Hacktober, for example," he said.

"Do things unexpectedly instead of tricking them into thinking this is a routine training session that they have to sit through and sign off that they've been there, and then they think it's all ok," he added.

This article is part of a campaign from Mimecast