When thinking about cyber security the first area I always put first is developing user awareness as to the risks and what they need to do should they make an error. Given that most data breaches tend to have user involvement at some point in the incident, often at the beginning, it seems logical to focus first on user awareness, but how do you build user awareness in a busy school?
The old inset model (Compliance)
This is the model by which the training is put on once per year likely at the start of the year with everyone in the school forced to attend. For me this approach is more about compliance than about improving awareness or understanding. It makes it easy to prove that all users have been “trained” as you can point to an attendance sheet for example, however in the busy world of schools it is likely a fair part of your audience will be focussing on other tasks rather than the content being presented. It doesn’t necessarily result in users being more informed and aware of cyber risks than they were prior to the session. This approach also fails to take into account the constant evolution of cyber threats and the cyber threat landscape. As such, this model of the once per year training event is no longer sufficient on its own although it still makes for a useful approach when combined with other approaches.
Regular communications and updates
My favoured model of cyber awareness development can be summarised as “little and often”. I make use of the schools regular bulletin to share examples of phishing emails received in the school, plus tips on how to identify them. I am increasingly making use of video to share short presentations of 3 or 4 minutes long outlining emerging risks or emerging trends. The key for me is to make cyber security awareness content something that all users consistently come into contact with on a weekly basis. Hopefully by doing so they will be more concious of the risks. Basically, I am using the availability bias to hopefully develop user awareness.
I will also note one important thing here is to vary the content as if the content is always the same it may eventually become ineffective. As such I use a mix of my own video content, NCSC and other cyber organisations video content, written content with annotated screenshots and even the odd cyber security sea shanty (See here for the cyber sea shanty if you are interested.)
One of the big things about awareness development is being able to test that it is working. If your training is about compliance the only test you need is to check that your attendance list has everyone’s name on it but if you are truly after user awareness development you need to check that users awareness has actually developed. An easy approach to this might be a simple short quiz including alongside new awareness content, with a focus on helping users identify what they don’t know rather than centrally providing scores. A centralised focus on these scores once again is more about compliance rather than the actual users and user development. An alternative approach might be regular phishing awareness tests to see whether users fall for a phishing email, or whether they report the issue. Reducing numbers of users falling for such tests, and increasing numbers of users reporting emails to IT teams both representing improvements in user cyber awareness.
Fear of reporting
Another big challenge is trying to ensure users understand the importance of their vigilance and care in relation to cyber security, and the size of the risk both to them, to the wider staff and students and to the school/college as a whole. The balance here though is that we need to balance this out against creating fear in users to the point that either they are reluctant to use technology or are reluctant to report concerns or issues.
For me encouraging people to report is critical both in terms of quickly identifying any issues, but equally importantly in terms of identifying misunderstandings or near misses. From this information we can refine training and awareness development approaches. We can basically seek to use the ongoing reports to continually learn and develop as an organisation, in relation to cyber security.
Conclusion: Building a culture (The long road)
It still worries me that some organisations continue to treat cyber security and also data protection as a compliance issue; For me this is a shallow approach. The true challenge should be to develop user awareness such that we shouldn’t need to be too concerned in relation to compliance.
Awareness development in my view isnt a single training session or even a number of training events, tests, etc over the course of a term or academic year. It’s a longer term project. Its about building a cyber security culture which isnt a case of days or months, but can be best measured in years. As such the sooner we all get started with this the better.