Cyber Security Awareness Maturity: understanding the concept and finding out what it can say about your company
Cyber security awareness maturity can tell us a lot about whether the company invests or not in the security of its data, installations, employees and clients, showing us whether there is a continuous and long-term concern or if it is just a measure to comply with legislation or other standards, without a real interest in improving habits both inside and outside the workplace.
Therefore, it is very important that we learn well how it works, what the levels of measurement are, what it can tell us about the company's priorities, and how it can impact corporate routines.
Learning the concept
Cyber-security awareness maturity shows us how the company we work for sees and invests in the area of cyber-security through awareness programs. This is obvious from its name, but it is important that we understand this very well, mainly because maturity is the element that will show us how awareness programs can or cannot be effective, what risks the company runs, and what importance it gives to the security of its employee and client data, which is of utmost relevance, especially in times of the LGPD in Brazil.
To measure the maturity of each organization's awareness program, the SANS¹ maturity model can be used, comprised of five levels that measure the effectiveness, scope and impact of cyber security awareness programs.
This being said, we will take a look at each of the maturity levels and how they can show us the company’s concern with the cyber security of its physical and virtual environment.
Level 1 – Non-existent
On this level, the company has nothing. This means that there is no attempt by the company to implement security awareness measures of any kind, mainly due to a lack of resources or because it does not give due importance to the matter, which is a mistake, since virtual and real threats against corporations grow more each day, as can be seen, for example, by the 28% increase in phishing in 2019 (according to a survey conducted by Cyxtera)².
A simple analogy to understand this level would be to compare it with the habit of doing sports or physical activity. In this case, the company would be "sedentary" and, just as people who do not have this healthy habit are more likely to acquire certain health problems or diseases, a company ends up being more vulnerable to risks and threats, both in the virtual and physical security spheres.
Fortunately, few companies are at this level, especially with the implementation of new information security and cyber security legislation, such as the GDPR in Europe and the LGPD³ in Brazil. However, companies on this level can face a series of problems, such as loss of client credibility, information vulnerability, legal sanctions and even financial losses due to virtual scams, such as extortion and digital kidnappings.
Level 2 – Compliance focused
Let's consider the following situation: a company, after receiving reports from auditors regarding the misuse of data and computer systems, decides to implement a new cyber security awareness measure. To do this, the establishment decides to hold an annual lecture, with certain IT staff members, and send monthly newsletters to employees.
Were you able to imagine this situation? This is the scenario at level 2. Here, the company is usually only interested in complying with standards or legislation, not necessarily aiming to improve the daily habits of its employees. In addition, it might only implement ad-hoc programs, i.e., for specific purposes, and there would be no attempt to change the behavior of the company's employees and collaborators.
As a simplification, we can think of this level as when we have a health problem, like a headache or heartburn, and we just take an analgesic or an antiacid, and not worry about going to a doctor and finding out whether there is a real problem with our body or our daily habits (such as food, physical activity and hydration).
Thus, just as we take flu medicine without knowing what caused our immunity to get lower, some companies also use occasional an “medicine” to “cure” cyber security problems, implementing measures that will not necessarily lessen risks and threats, but only provide temporary solutions.
Unfortunately, most companies are at this level, mainly due to lack of investment in cybersecurity awareness programs or the lack of interest in obtaining a long-term security solution, and only adopt the minimum required by certain cyber security and data security standards or legislation.
This is a concern, since, on the one hand, we may consider this level as even worse than 1, because the company ends up having the wrong idea that it is doing something for the security of its data, information, installations and employees, when, in fact, it does not have an efficient and effective solution for its problems.
Level 3 – Promoting awareness and change
As the company becomes increasingly concerned with the habits of its employees, it moves on to Level 3. At this level, the main objective is to have an impact and promote changes in behavior in order to reduce risks to the company.
Many companies do not reach this level and remain stagnant at level 2, mainly because of the greater difficulty in promoting this awareness and change, which requires more planning and continuous reinforcement throughout the year.
Thus, level 3 has a greater focus on introducing awareness content in an engaged and positive manner, encouraging behavior changes at work, in personal life and in employee travel. As a result, employees and teams become aware of the company’s policies and processes and can actively prevent, recognize and report incidents.
To better understand this, we can compare this level with someone's attempt to change their diet, wanting a healthier life and to change their eating habits, in order to bring benefits and impacts through this change in behavior. Thus, just as someone starts eating more fruits and vegetables daily to improve their eating habits, companies can also invest in regular and continuous programs in order to implement a change in behavior and therefore avoid future losses and risks.
Level 4 – Long-term sustainment
At this level, as the name implies, cyber-security awareness is sustained under an existing program that promotes awareness and change. Thus, while the company is based on level 3, it wishes to go further, since its awareness program is already becoming more consolidated. Therefore, in addition to this base, at this level, processes and resources are added towards a long-term cycle, including, minimally, an annual review and a continuous updating of training content and communication methods.
As a result, the awareness program becomes a part of the company's culture, being always present and engaging the company's employees and teams, becoming almost automatic on their part. Thus, this level can be compared to a fixed physical exercise routine, when a person can no longer go without the weekly amount of these activities, which have now become part of his/her culture and routine, being difficult for him/her to do without.
Nevertheless, many companies invest in this level only for a short period of time, like a year or a little more. However, if this program is not constantly revised and introduced into the environment, the cyber security mindset will die and the benefits will be lost, just like someone who only exercises regularly for a year and then, all of sudden, decides to stop.
Therefore, it is necessary that the company has the resources for a long-term program, which must be regularly updated, since technology, laws and cybercriminals are always adapting and changing.
Level 5 – Metrics
On the last level of cyber-security awareness maturity there are all the benefits of the previous levels, but to which certain ways of measuring the progress and impact of the program can also be added, leading to its continuous improvement and the possibility of demonstrating the return on the investment made by the company.
This level is called "metrics", but this can be done on previous levels as well. The point here is that there is a formal measurement program, not a simple counting of how many people have taken a certain type of training or how many newsletters have been sent by the company; it is a measurement of the impact of the awareness training carried out by the company, and the measuring of the change in behavior of all employees of the company.
This said, some questions can be used to help us perform these measurements, such as: What learning objectives have been more or less effective? Does the company have certain departments or units that are more vulnerable to human-based attacks than others? Is the company preventing more attacks? Is the company detecting more incidents? Has there been a reduction in risk?
Thus, this level can be compared to having healthy habits and taking blood tests from time to time. Therefore, in the same way that a blood test can measure the benefits of a new diet and physical exercise (such as lower cholesterol and glucose levels, for example), the level of measurement also helps us to determine the extent of the impact caused by this new cyber security mentality introduced in the company, explaining the financial returns and improvements brought about by the program.
Conclusion
Lastly, we can conclude that cyber-security awareness maturity is a very important concept, which should be studied and applied by all those who have an interest in the corporate world, especially those seeking to implement some sort of cyber-security awareness program, but who do not know how to go about doing it.
A good option to acquire a high level of maturity in your company and to ensure that your employees and collaborators adopt a cyber security mentality is the Hacker Rangers program, created by Perallis Security, that ensures that the learning process and behavior change is entertaining and efficient, through a 100% gamified platform.
Thus, investing in cyber-security awareness ends up being not only an investment per se, but also generates a financial return and an immensely positive impact on the lives of the company’s employees.
Sources:
1 - https://www.sans.org/security-awareness-training/blog/security-awareness-maturity-model
2 - https://www.itforum365.com.br/ataques-de-phishing-aumentaram-28-em-2019-revela-pesquisa/
3 - https://www.perallis.com/news/a-lgpd-vai-pegar-no-brasil
Article translated from: Maturidade em programas de conscientização em cibersegurança: entenda o conceito e descubra o que ele pode dizer sobre a sua empresa — Perallis Security