October offers great joy with the leaves changing color, a crispness in the air, and pumpkin spice everywhere. Every year we also celebrate Cyber Security Awareness Month (CSAM). Co-led by the National Cybersecurity Alliance (NCSA) and the Cybersecurity and Infrastructure Agency (CISA), CSAM has been a partnership between business and government to raise awareness about cybersecurity for 19 consecutive years.
While it’s great to shine a spotlight on cyber awareness in October, as IT security professionals, we have to provide ongoing security awareness throughout the year. According to the 2022 Verizon Data Breach Investigations Report (DBIR), 82% of security breaches involve human interaction, highlighting the need for organizations to educate employees and encourage vigilance all year long.
Companies should start by establishing a culture of continuous learning, something they can achieve by focusing on the following core tenets:
- Set the tone from the top. The cybersecurity landscape evolves constantly, and we need to ensure our leaders are continually alerting their teams of emerging threats and the latest tactics. But leaders must also constantly stress why vigilant cybersecurity practices are so important to our company, clients and customers and how their employees can help safeguard personal information. CEOs, CIOs, CISOs must uniformly emphasize cybersecurity as a top priority and set the tone from the top by holding everyone accountable for security awareness. Top security officials must regularly address cybersecurity strategy and investments with C-Suite executives and the board, while leaders across the company should participate in crisis drills and actively and visibility lend their voices to employee awareness campaigns, like CSAM. As the CISO, I find it helpful to host regular meetings with executives on security topics that are relevant to them both professionally and personally. For example, talking about enabling multi-factor authentication (MFA) for social media accounts as well as discussing recent MFA events in the news can provide important context to organizational security initiatives.
- Encourage professional training, networking, and educational opportunities. Staying informed on emerging trends and leading-edge security capabilities is a top priority for IT security professionals. Encouraging employees to attend and/or speak at industry conferences, take continuing education courses, and participate in professional association networks build broader understanding, knowledge and perspective. On average our team members spend more than 3,000 hours annually in professional training, networking, and educational opportunities.
- Conduct mandatory annual training. Training is critical in reminding employees to practice healthy cybersecurity behaviors. Annual cybersecurity/fraud trainings reinforce the importance of strong cybersecurity practices and help to build a company culture of awareness, accountability, and vigilance. Trainings can include topics such as, password best practices, social media protections, importance of user access reviews, malware/ransomware, and recognizing phishing, smishing and whaling. They offer an overview of the common tactics and emerging trends and empower employees with the information they need to effectively identify and report suspicious activity.
- Test employee knowledge. Training courses are essential, but knowledge tests at the end of each training course really help to reinforce desired behaviors and certifies employee understanding of the topics covered. Additionally, a phishing testing program reinforces the message of the annual training, applied in real-life scenarios that test employees’ ability to recognize the warning signs of phishing/suspicious emails. Voya conducts more than 86,000 individual phishing tests annually to train employees and contractors on how to avoid phishing attacks.
- Make security personal. Focusing on the “what’s in it for me” factor raises awareness and that’s why it’s important to reinforce the benefits of good cybersecurity practices as well as the serious repercussions of poor cyber behaviors. Bringing attention to the personal and professional consequences of real-life cyber events (reputational damage, financial loss, loss of trust) can ignite people to take protective actions and be on alert.
- Build brand reputation. The company’s brand helps to convey who they are and what’s important to the organization. This applies to departments within a company as well. One of my first actions as Voya CISO was to rebrand our security function. We did this to easily identify our team, what we do and the importance of our work – both internally to our colleagues and externally to our customers. As Voya Information Security, we also created a tag line of “Securing Today. Protecting Tomorrow.” This new branding aligns with our purpose and conveys the company’s priority of safeguarding data not only today, but well into the future. Noting the tag line on our communications brings greater awareness and heightens the importance of our Information Security educational messaging.
- Raise awareness year-round. This can include regular employee communications and monthly learning sessions with guest speakers, which can also serve as continuing professional educational credit. Strong security requires strong partnership, so we often invite business leaders to talk to our Information security team about the trends they’re seeing in business interactions and any changes that might impact our security posture. We also create videos with key business leaders talking about the importance of security for our colleagues and customers.
- Think global and be creative. With a hybrid workforce companies are now challenged to keep security awareness fresh to reach a global audience. Voya often extends our training and educational campaigns to our contractors and partners. Videos, catchy themes, and providing culturally-relevant examples are very important to making the training effective and memorable. The security industry needs to continue in this direction to provide a variety of media outlets to employees and customers so security stays top of mind.
At Voya Financial our employees play a critical role in Securing Today. Protecting Tomorrow. Ensuring a well-balanced, year-round cybersecurity awareness program has become a critical way we engage all employees in that effort.
Stacy Hughes, chief information security officer, Voya Financial