Cybersecurity awareness is a journey to embed secure behaviours in people’s daily lives

To do so, you need to build a strong cyberawareness program, focus on your key cybersecurity themes, that engages your people and respects their uniqueness, with practical positive actions and diverse activities. In other words, a program that meets your ambitions and aims:

• An effective behavioural change
• The development of a security culture in your organization

We developed our TAMAM framework to formalize our strong beliefs about how best to build a cyberawareness framework.

TARGET: set concrete and measurable objectives

AUDIENCE: adapt the approach according to the people concerned

MESSAGE: choose a concise, positive message that calls for action

ACTIONS: set up effective, concrete and various actions

MEASURES: evaluate the program’s impact on behaviour

This article explains the principles, the stakes and the role that TAMAM has to play to support you!

But first, let’s put some contextual elements about cybersecurity awareness…

Why do they keep clicking on these phishing emails?!

• Our journey doing cybersecurity awareness started more than 15 years ago. And things looked quite different back then. It was the time of the new awareness programs, led by newly appointed cybersecurity managers, with little means and yet a key objective to tell people what they must do to protect the information systems. Nothing more, nothing less. It was the time of the Top 10 best practices; the Do’s and Don’ts; the mass training sessions; etc.

• Once said, these messages were considered to be common knowledge and applied by everyone; and just like that awareness was deprioritized and no longer a priority for the cybersecurity managers. It was the rough time of insufficiency and budget cuts.

• Then came the rising number of cyberattacks and the GDPR. With new risks came new appetite for awareness and education of users. Cybersecurity awareness was back in the agenda, yet with variable means and interests. Over the years it remained part of the cybersecurity topics but with great variability between the organizations when it came to effectiveness and efficiency.

• And here we are now: at the beginning of the year 2023 and the same questions remain: “I’ve tried everything but there are still some people who do not perceive the risks– what can I do?”; “I need to keep my people interested in the topic, what new things can you propose?”. Basically, what we notice is simply a lack of consideration of the effectiveness of the program: they seemed to be reaching a glass ceiling. Efforts were put, investments were made, but little change happened. That triggered our attention and led us to discussions and research until we finally came to the evidence: efforts and investment are vain if they don’t aim at effectively changing behaviours and ultimately establishing a culture of cybersecurity. But how do you do that? That’s the focus of this article.

Are you getting everyone on board with cybersecurity?

Based on these observations of the past years of cyberawareness, we developed a framework to build an effective cybersecurity awareness program. We wanted this model to be customizable so that it could be applied to every organization regardless of its size, maturity, budget, or current culture. Not a one-size-fits-all, but a backbone to be adapted to every organization.

Target

Just like with everything, you have to start with the “why”. This serves to define the objectives: a target to reach, a vision of where to go and a path to reach that place.

These objectives must be targeted to your priority battles, i.e., what change you want to see in your organization, precise behaviours that you expect from your people. They do not just represent good intentions – like “raising awareness among my employees” – but precise behaviours that you want to see every day. For instance, if phishing is one of your primary concerns, and it sure is: “How to educate my employees to report phishing attempts and incidents?”. Like this you see your target and the way to reach it.

Precise objectives also enable measurable results. When you define them, you also define the KPIs and metrics that you will use to assess their success. As a rule of thumb: if you are unable to find a measure for your objective, that means it’s more illusional than achievable.

Finally, you share these with your employees. Isn’t it plain fairness that to tell your people from the beginning what you expect from them? This way, you make them actively engaged in the change of behaviour that you expect from them. By giving them the rules of the game, you enable them to play by these rules and to win the game with you, because cybersecurity is a collective win.

This first step is largely overviewed, and few are the organizations that take the necessary time to reflect on their true target when it comes to cyberawareness. However, it is the essential starting point of our journey. Just like with any journey: we can only reach a friend’s house if know their address.

Audience

And who do you want to reach exactly? That is your audience, your population, your people that need awareness, training, and education. A clear identification of these specific audiences will help you define an approach that is meant to reach them. To know these needs you will need to start by differentiating people in clusters – mostly based on their positions in the organization, their closeness to the topic, their expositions to the risks you want to prevent, their role figures, etc. These clusters can gather newcomers, external staff, local ambassadors, IT staff, etc.

For each of these populations, you will want to assess their current level of mastery of the different targets defined. That is basically performing a skills gap to know what topics requires more attention for each population. This information will be essential to customize the program to the needs of these populations (because you understand what they do in life) and their current level of mastery (which you have assessed precisely).

Message

Off we go now with the messages you want to communicate to these people to reach these objectives; the moment where you find this catchy phrase that will be repeated oftentimes. The people with whom you will be communicating also receive numerous other communications for numerous other causes (name it: CSR, compliance, values, etc.). Hence the importance to select your messages wisely and to stay concise. The time and attention available are limited, this is why you will prefer to select a few messages that address key risks and meaningful objectives.

Eventually, the tone used to communicate these messages is crucial as it must be adapted to the organizational culture: funny messages work in some environment while serious ones work better in others. Regardless of the tone used, the messages will need to be positive and call for action. Drop out the negative injunctions (“don’t”) and embrace the positive actions (“act”).

With these first three steps in mind (Target, Audience and Message), you build up the framing of your cyberawareness program: you know what you want to tell, to whom, in order to reach the expected behaviours.

Actions

Now that you have tailored your messages for your specific audiences to reach the defined objectives, time has come to identify the actions that you will implement in this framing. Although you now open the catalogue of action, you must be focus and pragmatic. The principle when doing so is to think of the effectiveness of the chosen action in your journey to reach your objectives. Creativity and innovation are surely important to keep people motivated but is not the sole success factor. You want to make cybersecurity practical for people, to bring the topic closer to their life and to involve them in their learning (e.g., practical activities, application of the behaviour expected, etc.) on top of a more theoretical top-down approach.

The way you implement these activities is also an essential success factor, with the right resources, people and planning to enforce the selected messages:

• Who is the bearer of these messages? Internal or external?
• How to repeat them in different ways (as different people will respond to different stimuli that can be practical, visual, spoken, etc.)
• From what angles and with what activities should these issues be addressed in order to raise awareness among employees in the most appropriate way?

With few selected messages, you build different activities, at different moments, with different approaches, to embed these behaviours in your audiences’ daily lives.

Measures

Finally, this whole program needs to be evaluated in order to say if it actually allows to change behaviours – for the management that will ask to see the value delivered for its investment, or for the awareness team that will want to show tangible results from its efforts.

In your quest to raise awareness, you must focus on the effectiveness of what you implement, beyond the implementation itself. All too frequently, organizations focus on numbers of activities or people addressed. But these figures seldom provide a real understanding of the change of behaviours happening.

When building your evaluation plan, you need to include quantitative measures and qualitative feedback to obtain a comprehensive understanding of the achievement of your objectives. Perhaps this will require new ways to gather this information – like getting the helpdesk involved, or even obtaining fresh data from the SOC – but the outcome will bring terrific value to your program as it will allow you to review it and keep it continuously adapted to your objectives; which can also be subject to adaptations if the organizational context changes.

Oh, and don’t forget one last thing if you want to create a positive trend in awareness: communicate your achievements and celebrate the victories with everyone. You deserve it.

Take the first letter of these 5 principles and you obtain TAMAM. It is no coincidence if the world translates into “all right” in Turkish; this is what you want from your people: an adherence to your objectives and an agreement to onboard your journey to more secure behaviours.

Where to start?

Now that you have a better understanding of the iterative journey to build a strong awareness program, you must find yourself in the middle on a strong questioning: where do I stand in that and how do I lean more towards what you’ve just said?

A first action to take is probably to take a step back to look at your current maturity level in cyberawareness. You will need to have a clear and honest understanding of how your organization addresses this topic in order to define a path towards a greater maturity.

The power of TAMAM resides notably in its ability to be used regardless of your maturity level, because its principles are adaptable and true to different situations.

Do you TAMAM?

When you TAMAM, you:

• Visualize a clear and precise target – behaviours – that you want to reach
• Tailor your approach around the need of your specific clusters of people
• Define the few messages you want communicate to your audience on these objectives
• Select the best manner to communicate your messages with activities that focus on effectiveness
• Monitor and assess this effectiveness to adapt your approach and finetune your whole program

This article is only a glimpse of what TAMAM can bring to your cyberawareness program. Contact us for a full understanding of how our framework can help you step up your awareness!

Contact us

Cet article Are you ready to TAMAM your cybersecurity awareness? est apparu en premier sur RiskInsight.

What is a cyber risk analysis?

Did you ever wonder what would happen if a device your company developed and sells leak the data it collects? Or if that data were corrupted or suddenly made unavailable? What would be the most detrimental? What if your solution was vulnerable to a cyberattack? Could the consequences be a takeover of device(s) which leads to a safety hazard such as a building taking fire or even a human casualty? Or maybe it could “just” be a pivot attack onto your customer’s network that leads to a full incapacity for your and your customer’s businesses to operate.

If you are currently developing an IoT solution and are not having a nervous breakdown when considering such possibilities, you are probably wondering though how your CISO (Chief Information Security Officer) is not having one.

Well it is probably because your CISO has a method: they consider every risk from an unbiased perspective and in a comparable manner. Ensuring each risk is correctly evaluated (i.e. not overestimated or underestimated) and sharing the outcome of this evaluation with all project stakeholders is the first important step. Once all stakeholders agree upon every risk your company has the right basis to decide control measures.

This approach does not mean you should address every risk to the point that your solution is virtually unhackable. Frankly, this is not technically possible, and your budget would vanish far before achieving a so called zero cyber risk solution. Each control measure must be prioritized and proportional to the risk likelihood and severity.

What we described above is known as a risk analysis methodology. Cybersecurity professionals use this methodology as the baseline to their company’s cybersecurity initiatives. The professionals evaluate risk scenarios (often tied to service availability, data integrity, confidentiality and/or traceability of actions) and the impacts on their company’s brand image, legal liabilities, safety consequences and of course financial outcomes. The higher the risk is evaluated, the higher the priority is set to lower the likelihood of the risk occurring (e.g. add barriers to an attack, reduce the attack surface, etc.) or the severity of outcomes if the risk occurs (e.g. apply segmentation to reduce the spread of an attack).

If you want to learn more about the existing risk analysis methodologies you should start with ISO27005 which has a wide scope of adoption and understanding across various industries.

Be reassured that talking about risks will not increase the likelihood of the problem occurring (if you ever feared that), however not talking about them puts the project at great risk.

What makes an IoT Project risk analysis different?

Hopefully we have convinced you that doing a risk analysis of your project is an important task; we will touch upon how you can get started quickly in the next chapter. Before we get there, we will detail what makes the exercise specific for an IoT project: what are the characteristics of such projects and what makes the risk analysis more difficult or simpler?

Let us start with the common characteristics that should be considered for a risk analysis. First of all, an IoT initiative often relies on a very decentralized network of hardware (sensors, gateways, servers, etc.). These devices can be spread over a large geographical area, sometimes all over the world, and are meant to remain in the field for a long time with little to no onsite maintenance. It is common to see B2B IoT devices that aim for a lifetime of more than 10 years (e.g. a water metering project for utility companies). B2C devices can also aim for such lifetimes – think of connected vehicles for instance. It is also noteworthy that IoT devices usually have limited user interfaces such as a screen and keyboard. Despite this, the buttons, LED and mobile applications allow the necessary interactions or customizations to the IoT device for you to collect data from the field. Remember, the data collected from connected devices is where the value resides. Thus, whether that data is critical or not is essential in the risk evaluation. Finally, we need to remind ourselves that an IoT project is still an IT project. If the devices are not typical laptops, the application servers and storage remain central in most cases. This is where a large part of the risk remains, but fortunately, there are many best practices for this portion of the solution as well.

From a cybersecurity perspective such characteristics can make IoT projects riskier. For instance:

• The physical security of a decentralized network is very hard to enforce. Where are the devices located? Are the devices accessible to the public? Can someone easily steal, damage or tamper the devices? For example, a tracker installed on a pallet travels outside trusted premises and can be damaged or removed – intentionally or not. Of course, this risk is amplified by a wider geographical footprint.
• Given the limited user interactions and the longer device lifetime, it can become very costly and time-consuming to maintain the devices, especially if you must physically dispatch technicians. Hands-on intervention can be simply unrealistic, but even firmware upgrades have a failure rate. Because of all this, the controls must be relevant for the long run.
• In any IoT project, the sensitivity of the data is a factor that must be considered. Is it critical for your company? For consumer projects the sensitivity of the data can be perceived as very high because the devices will collect data from the “real” world.
• IoT solutions consist of many different technologies and vendors. This is a challenge for us: what are the security practices followed by each of these vendors and do these practices sufficiently cover my risks?
• Finally, the security controls that can be applied are dependent on the capacities of the devices and softwares. For example, many sensors run on 8-bits MCU and thus cannot run complicated encryption algorithms.

Fortunately, all these characteristics also play a role in reducing the cyber risks for IoT projects.

• With very decentralized deployments, the level of effort required by an attacker to access a large number of devices is burdensome. Compromising a single device is one thing but compromising the entire fleet of devices is an entirely different task. This is especially true if physical tampering or proximity is required.
• The application of the IoT devices are rarely handled directly by a user and there are limited user interactions after installation. Thus, attackers have limited opportunities to trick the user into misusing the application.
• Depending on the context, the value of the data can be very limited for attackers (e.g. room temperature monitoring used to control AC systems). What is more, the value can also decrease sharply with time. Production data can be critical for real-time control of processes, but it becomes a lot less valuable a few minutes after.
• The architecture of IoT solutions is usually segregated from the IT systems including servers or data centers. This segregation enables companies to easily define and protect integration points.
• Finally, the limited capacities of the device play a role in preventing any harmful attempt. Attackers simply cannot access, implant malware or effectively control sensors with 8-bit MCUs.

So now, how can I get started?

Well, take a deep breath and involve your CISO.

The CISO must identify and evaluate applicable regulations, decide what level of risks is acceptable, provide policies to follow and tools to implement security measures. Perhaps you should appoint Product Security Officer to specifically address IoT security in your company or even a given IoT product’s security if the stakes require it.

Getting to an acceptable level of security will require expertise on the various areas of the IoT solution. If you are that expert, then you should probably be ready to get involved. This will drive the whole team to consider the:

• End-to-end security on the technology stack: from hardware to cloud including embedded software, network connectivity, mobile apps, etc.
• End-to-end security from a device lifecycle perspective. When you design your device, think about all phases: from manufacturing to distribution; from initial use to normal usage; resell, refurbish, recycle or trash.
• Partners involvement: make sure not to forget them and assess their maturity. You might need to take measures to support them or upskill them (hint: ask your CISO or PSO for it).
• Audit of your device and the whole technology stack. Do this regularly because your software may not have changed but the threats and known vulnerabilities may have.
• Long-term security updates and maintenance: define for how long you will update and deploy your devices.
• Incident response organization: define how you can be notified of vulnerabilities or breaches and how you can plan to respond (from a technical and a communication point of view).

IoT cybersecurity is not impossible. It actually provides methodologies and tools to help achieve a secure landscape.

Project stakeholders and customers are seeking and pressuring for secure products. Regulation to enforce security are imminent and frameworks to help align every actor regarding its duties will continue to be applied. It is time to get ahead now if you are looking to make cybersecurity an asset for your product on your market!

Cet article Risk analysis and IoT: a marriage of love or reason? est apparu en premier sur RiskInsight.