A well-developed cybersecurity policy involves employees: 3 key pillars

AI is a game changer

IT security is more frequently on the agenda than ever, thanks in part to new regulations that require more efforts around security. There’s no other choice, because cybercriminals are constantly coming up with smarter ways to fool people and then taking data hostage or stealing it. “AI is a game changer, also in that context,” says Bart Callens, product manager security at Proximus. “Take, for example, phishing with a voice message, where AI imitates the voice of someone you know.”

That makes it very difficult to distinguish between real and fake. “Fortunately, we can also use AI to protect us from attacks.” It is important that an organization does not view cybersecurity as a bundle of tools or a one-off exercise, but as an indispensable part of its entire business operations. Callens: “You do this by supporting your policy on three key pillars: awareness, behavior and culture.”

Not only do you have to be able to recognize a phishing email, you also have to adapt your behavior when you get one.

Bart Callens, Product Manager Security at Proximus

Awareness

Traditional data security training is a thing of the past. “That one-way traffic proved to be a little ineffective,” said Callens. “To really create awareness, you have to focus on interaction. Better to have short training modules that you repeat regularly, than a one-off training session lasting a whole day.”

It’s also important to practice the knowledge you have acquired. “Gamification can make a difference here. It’s not just about the content itself, but also about the way you present it: so, with communication that matches the company culture and in a way whereby the content lingers for as long as possible.”

Behavior

Awareness may be a key pillar, but it’s not the only one. “Being aware of the dangers doesn’t mean you are safe,” said Callens. The stats confirm thatNew window. “Campaigns with phishing emails often have a high hit rate: up to 32% of recipients have no idea it’s phishing.”

After awareness training, that figure drops to 5-6%. Even though employees are aware of the risks at that moment, one in twenty recipients does not adjust their behavior. “Understandable,” sCallens explained, “because the attackers respond to people’s emotions.” When you receive an urgent email from the boss or a message saying you need to confirm your details immediately, it’s a logical response to believe it. “Recognizing that and aligning your behavior in response is essential.”

Bart Callens, Product Manager IT Security at Proximus

Culture

Attackers capitalize on the psychological profile of their targets. Raising awareness is important: knowing that there is danger. The same goes for behavior: when you recognize the danger, respond to it correctly. “Even then, things frequently go wrong,” said Callens. “Which is why the third pillar is indispensable: culture.” This ensures that security is an essential part of the entire corporate culture.

Here's an example that illustrates the value of the security culture. “Suppose an employee opens a malicious attachment or clicks on a dodgy link, and only afterwards realizes he shouldn’t have. In a company with a full developed security culture, that employee will report it as soon as possible, so that the IT team can intervene immediately if necessary.” In the absence of that culture, the employee might conceal his faux pas, due to lack of insight, but perhaps also due to shame or fear of a negative response.

CISO (as a service or otherwise)

“That’s a good example of how the three pillars work together,” said Callens. “You have to be aware of the dangers, and you have to behave accordingly, which ultimately reinforces the culture.” In a large company, the role of the CISO (Chief Information Security Officer) is to mold the entire security story and give it widespread coverage. “Small and medium-sized organizations often lack the clout to retain a CISO, even though they are also a target for attacks.”

In these cases, the CISO-as-a-service can provide a solution. “Security profiles are scarce on the labor market,” Callens concludes. “That’s certainly the case for the CISO. Even for a smaller company, a CISO can make all the difference, although a smaller organization often has no need for a full-time CISO. It’s in precisely these situations that a specialist as a service can make the difference to the ultimate objective of the security policy: making every employee a strong link.”