Security awareness in practice

Creating a security culture

Security awareness is an ongoing task. In this article, two security experts explain how businesses can successfully bring about a change in employee behaviour and improve security awareness. Check out their insights into becoming more security aware as a company.

Text: Andreas Heer, Pictures: Swisscom
26 September 2023

Cyber incidents can be avoided better, detected earlier and averted in a more targeted manner if all employees feel involved in cybersecurity.

The security culture in companies has itself undergone a culture change. “Only a few years ago, companies were implementing awareness measures purely for compliance reasons,” recalls Marcus Beyer, Head of Security Awareness at Swisscom. This required employees to complete an annual awareness training. Proof of completion was often sufficient to meet certification requirements. Such an approach has a minimal impact on a company’s long-term protection, however.

The security culture is maturing

Today, on the other hand, the focus of awareness programmes, such as at the Raiffeisen bank in Switzerland, is on their impact. Information Security Officer Monika Geitlinger is responsible for running the security awareness programme at the bank: “Our goal is not to simply tick a compliance box. We genuinely want our employees to be better able to assess and deal with risks in the cyber world.” Marcus Beyer echoes the importance of this for everyday business: “I always go a little further and say I want to bring about a change in behaviour.”

Monika Geitlinger, Raiffeisen Schweiz

“An active error culture is enormously important to us.”

Monika Geitlinger, Raiffeisen Switzerland

In other words, employees develop a security awareness that they apply within their day-to-day work (in front of a screen). According to Marcus Beyer, this goes beyond simply detecting phishing e-mails: “We want it to become automatic for employees to behave in a security-conscious manner; for example, by classifying documents when saving them or sending an e-mail link rather than an attachment.” This is also a good example of how people and technology work together in cybersecurity: the human does the classifying and technology takes care of the protection.

To achieve such a degree of security awareness, however, Monika Geitlinger and Marcus Beyer both agree that businesses have to dedicate sufficient human resources to the issue. This is also one of the findings of the SANS 2023 Awareness Report, which analyses data provided by security awareness professionals from around the world: the greater the support from management and the more staff deployed in the area, the more mature the Awareness programme in companies.

Actioning awareness measures

To achieve the desired maturity and have a genuine impact on day-to-day business, both awareness experts rely on a wide range of different measures throughout the year. “In general, we use a number of different, ideally interactive, channels to provide information: training in the form of e-learning, lunch and learns, live streams, a blog and the occasional security escape room,” explains Monika Geitlinger.

Marcus Beyer uses similar formats. In the phishing awareness training, he had positive experience with gamification, with points up for grabs for every phishing e-mail identified. “The employees found it cool,” he asserts.

Marcus Beyer is also responsible for an Intranet video series in which he provides regular profiles of diverse cybersecurity professionals. “Employees want to know who is protecting us,” he explains. "And they also follow the example of the people presented, which itself helps to improve cybersecurity.

Monika Geitlinger too has seen the benefits of making cybersecurity more personal. “Employees now come up to us in the coffee room, for example, which can lead to some interesting discussions.” And ultimately has an observable impact on the security awareness of employees.

A security culture is an error culture

Of course, even the best phishing awareness training does not provide absolute protection against being scammed. Such a situation calls for both technical protective measures and cybersecurity professionals. It is therefore all the more important that employees report suspicious incidents and errors of judgement. Such information makes incident response much easier and helps to avoid major damage.

Marcus Beyer, Swisscom

“Gamification of the subject matter went down well with the employees. It helped increase their motivation and boost the impact of the training.”

Marcus Beyer, Swisscom

It is important to have an error culture where employees are encouraged to report such incidents. “An active error culture is enormously important to us. It is vital that our employees report incidents, even after the fact,” explains Monika Geitlinger. Taking away employees’ fear of this is integral to the security culture. Marcus Beyer echoes this: “Employees should feel able to report incidents without fear or a guilty conscience because they know that they are helping themselves and the company.”

The awareness journey never ends

Developing a security culture is an ongoing process, as Monika Geitlinger explains: “Cybercriminals are constantly finding new ways to exploit weaknesses in our systems and new avenues of attack. This means that our task is never truly complete as the landscape is constantly changing. We thus need to continue to adapt our efforts in the future to make sure we don’t lose ground.”

It is important that employees from all areas of a company are involved, and that appropriate action is taken to accommodate any new developments in the company, as Geitlinger continues: “With the digital transformation, companies may suddenly employ software developers. Awareness training is thus vital from the outset to ensure that these employees take cybersecurity into account even from the code writing stage.” An awareness programme may also involve IT professionals and focus on topics such as the secure configuration of systems and cloud platforms; something that is becoming increasingly important with hybrid and increasingly complex environments.

This culture change in a company’s security culture is not complete once a certain maturity level is reached. The work of Monika Geitlinger and Marcus Beyer is therefore never done.

Find out more