Knowing where you are, before knowing where to begin

How secure is my organisation? It is more important than ever to ensure that information security best practice is adhered to, both in the office and when working from home.

Depending on what that best practice looks like can vary depending on your organisations size, industry, and what information it holds on customers, stakeholders, and staff.

The constant in this situation, is the need to determine the point your information security is at. Before deciding what changes need to be implemented to increase your organisation’s security, you must first understand where standards are currently.

Start at the beginning

So first we need to know what good looks like – what the steps are in getting there and how to avoid pitfalls.

Good for us is about secure culture – where we are successfully changing behaviours and having a palpable impact on risk. Where security is talked about and considered business as usual.

But when it comes to assessing your organisation’s current security level and the steps needed to ‘level up’ only you can properly work out whether your house is made from straw, sticks or bricks.

So, how secure is my organisation?

When assessing how secure your organisation is currently, we recommend following The SANS Institute’s cybersecurity maturity model, which breaks the stages of organisational security maturity into five levels.

Step one: No Awareness Programme

No security awareness programme currently exists within your organisation. Your employees are unaware of the potential risks they face, which means they are susceptible to potential security risks such as phishing, ransomware, and non-compliance with GDPR and theData Protection Act.

Step Two: Compliance Focus

Your organisation is at a stage where security is being considered, but its merely an exercise in ‘ticking the boxes’. This usually means that organisations will engage their employees in once-per-year, uninspired training, usually consisting of quick videos and unengaging instruction, neither of which produce meaningful behavioural change

Step Three: Promoting Awareness and Behaviour Change

Your organisation has bought into the importance of security awareness and the importance of making positive changes to your organisation’s security culture. The training programme in place is regular and involves the use of simulated phishing to give an idea of how employees behave when faced with a threat. Your employees are getting used to being secure throughout all aspects of their work, but its still not their first instinct.

Step Four: Long-term sustainment and culture change

The security awareness programme in your organisation has been in place for some time, and gradually, staff are starting to think of security before performing all tasks involving data or potential security threats, for example instinctually checking that a person in your office they don’t recognise is in the right place. Whilst doing so however, employees still feel as if they are going ‘above and beyond’ what is expected of them.

Step Five: Robust Metrics Framework

Security now feels like second nature in your organisation. Staff understand why these procedures are so important, and perform them without question, regarding this behaviour as a key part of their responsibilities. Further to this, the team within your organisation who manage the security awareness initiative meet regularly to discuss what areas can still be improved, and this information is communicated to the senior management team regularly to ensure that employees and the organisation as a whole is always improving and moving forward.

To assess where you need to go next with your organisation’s security awareness and asking the eternal question of how secure is my organisation, you need to objectively determine currently stand in relation to this model.

There is no shame in being in the early stages of, or perhaps not having even considered security awareness. Recognising this and planning on how your organisations security awareness can be improved is the crucial first step.

I’ve determined how secure my organisation is currently. Now what?

Once you have determined where your organisation’s awareness sits currently, you will be able to determine the steps needed to begin building a secure culture within the organisation.

The best security awareness programme for your organisation will consist of training that happens frequently that your employees buy into. This coupled with great internal comms from management that demonstrate the importance of security awareness and why everyone needs to adapt these behaviours, will have your organisation on its way to improving security and ensuring that potential issues are recognised and resolved before they become a problem.

Finding training that helps build a comprehensive solution to the issue of human error also allows an organisation to not only mitigate the risk to information security, but also allows a business to avoid the reputational damage that comes with a data breach. Not to mention the large fines that are now levied against organisations in violation of data protection.

Hut Six Information Security Awareness Training

Featuring twenty-six comprehensive tutorials covering all aspects of information and cyber security, Hut Six’s training is focused on demonstrating learning outcomes. With Hut Six’s learning management system (LMS), employers can assess and track the achievements of staff and better understand areas for improvement.

If you would like to learn more about how you can protect your greatest assets with unique and engaging information security awareness training, click the link below.