Some reasons why cyber-security awareness programmes fail - and SAP® security also
What are the reasons why cyber-security programmes fail?
What can you do to effectively raise your companies cyber-security awareness?
Governments and commercial organizations around the globe make extensive use of Information and Communications Technologies (ICT). The ICT arena, that landscape is changing at an ever faster pace. And as a result, that complexity increases in an ever- increasing rate. COMPLEXITY has a direct effect on SECURITY. You can read all about that in our previous blogs such as:
In their quest to achieve an OPTIMUM SECURITY level, many organizations have deployed (or are deploying) technical security measures (let call them the security tools and products), and develop security policies (processes) that specify the ‘correct’ behaviour of "the business", the employees who need to work with IT systems, the users and managers (people). Even large organizations think they are secure enough if they have a good policy, or if the auditors have done spot checks and give them "the blessing". Job done,.... right?
No, actually individuals who think like that have completely missed the point. The whole process of compliance, auditors was to PROTECT the investors, the shareholders, and enforce "management" to take their responsibility and accountability to a next level. Unfortunately, many individuals do not comply with specified policies, so you get the expected or wanted behaviors. There are many reasons why people (employees) show unwanted behavior. The two most compelling reasons are that people are not aware of (or do not perceive) the risks or, they do not know (or fully understand) what the ‘correct’ behavior is and why that is important.
1) create awareness for employees in a manner it is INTERESTING & CURRENT & SIMPLE ENOUGH for them.
An awareness (training) program can be effective, and if the used material (the examples, are interesting if they are current and simple enough to be followed by the audience.....) you have a far better chance of the awareness sticking and having the wanted effect. Any presentation that ‘feels’ impersonal and too general, too technical for the intended audience, the topic will be treated by users as just another obligatory session. You will have lost more than security awareness, you have also lost productivity time and created user frustration.
2) Spell out the correct behavior underpinned with funny examples.
If you discuss the right behavior, or if you spell out the right behavior, make the example MEMORABLE. Humor is a great way to make people remember something. Use funny examples of wanted and unwanted behavior. And connect CAUSE and EFFECT, so that people start to understand what cybersecurity is, what each of the employees can contribute to that. It is not so hard to prepare "funny" examples
- a PC is found unlocked, and "someone" sends a mail to the department that the "user" is treating on cake.
- an email is sent in the name of the CEO to make a payment to company XYZ quickly
- sharing your password with a colleague
- sending that entire customer list to your home computer
Contact us at firstname.lastname@example.org and we will be happy to explain what works when it comes to SAP Security for your organization.