What the Wizarding World Can Teach Us About Security Awareness Programs
Today is Star Wars Day so you would expect us to post a Star Wars-themed security blog, but we’ve actually already talked about the Death Star’s Single Point of Failure, major security fails throughout the original series and how Palpatine was the ultimate insider. We also have a divided team of nerds here at SAC, and the other fandoms wanted to have their voices heard as well. So instead of Star Wars, this year we present the first in a Harry Potter-themed series. The books about the Boy Who Lived are way more than just a fantasy tale about good vs evil; they actually provide lots of inspiration for staying secure and running a successful security awareness program.
“Understanding is the first step to acceptance, and only with acceptance can there be recovery.” Dumbledore (Goblet of Fire)
Dumbledore understands that change doesn’t happen overnight; true change (whether we’re talking post-data breach recovery or more secure behavior) takes time, patience, and lots of education. Only by educating our employees, teaching them the ropes, showing them the effects of a lack of security awareness, will they understand what’s at stake – both at work, and for them personally at home. Once someone understands the ‘why’ behind what they have to do, they will put up far less resistance to doing it, including training, testing or reading monthly awareness materials. The less resistance they put up, the more information they will actually absorb and the faster they will arrive at understanding.
“Never trust anything that can think for itself if you can’t see where it keeps its brain.” ― Mr. Weasley (Chamber of Secrets)
I am sure Mr. Weasley, already fascinated by Muggle inventions such as cars and plugs and outlets, would have his mind blown by the power of the internet and the many devices we use to connect to it and one another. But he would be appalled by the amount of blind trust so many people put into their technology. Too often, users expect the technology to protect them, assuming the manufacturers or service providers build in protection. We must remind them that this is not the case; the onus of security falls on the end user. Our smart devices are not smart enough to protect our PII (personally identifiable information), our childhood photos, or our secrets (such as that latest business proposal). Users must be reminded to rely on their own smarts and common sense, to follow policy and think before they click, and to use software such as VPNs and password managers to aid their awareness effort. And that if they ever get their hands on a diary that writes back to them, it’s probably laced with malware and they should tell someone!
“Hermione,” said Ron sternly, “we’ve been through this before…we’re not going through every exam afterwards, it’s bad enough doing them once.”(Order of the Phoenix)
The O.W.L. exams that Hogwarts students have to face at the end of their 5th year are exhausting, last for days on end, and require weeks of studying and preparation. Students dread them and many crack under the pressure, not scoring as well as they might if they had been regularly assessed throughout the year. Avoid burn-out, employee frustration, and annoyance by skipping the dreaded once-a-year training and test. Opt instead for regular and frequent learning and testing opportunities. We recommend at least quarterly, but we also think you will find even more success in building a culture of awareness by doing monthly awareness education and testing. Spice things up with unexpected short “pop quizzes”, group activities, or phishing campaigns to keep your users on their toes and to keep security in the forefront of their minds.
“Because that’s what Hermione does,’ said Ron, shrugging. ‘When in doubt, go to the library.” (Chamber of Secrets)
We should encourage employees to ask questions when they doubt the situation instead of taking a potentially hazardous action that could worsen things. But asking a manager or other person-in-the-know isn’t always a viable option for every situation, so we should create an easy-to-access, always-available library of information for users where they can quickly find the information they need when they need it.
Many intranets will allow you to create a resource center where you can store policy documents, monthly newsletters, videos, games, How-Tos and instruction manuals. If you don’t have an intranet, consider using web-based solutions such as a private Google Site, a private Facebook Group, or WordPress to give your employees access to information. Some organizations are finding success with third-party social/collaborative learning platforms. Regardless of your process, the idea is to create a one-stop-shop for LMS activities and an internal social network of useful information. Do some research to find the best option for your organization and help all of your employees be Hermiones.
“It is a curious thing, Harry, but perhaps those who are best suited to power are those who have never sought it. Those who, like you, have leadership thrust upon them, and take up the mantle because they must, and find to their own surprise that they wear it well.” —Dumbledore (Deathly Hallows)
Again, we have Dumbledore dropping some wisdom. Some people seek leadership, others have it thrust upon them, and the same is true for running security awareness programs. I can’t tell you how many times our clients have told us that their company’s awareness program was dropped in their lap, or suddenly handed over to them, or that they had no idea what was going on and needed our help. We understand your plight, program managers! And we understand that some of you are like Harry, taking up the mantle because you have to and doing a great job.
So how can the rest of those people who have been thrust into an unwanted position thrive like Harry? Remember that Harry did not save the wizarding world on his own; while he does make the ultimate sacrifice in the end, he has a lot of help along the way. He has friends who knows more than he does, he has cheerleaders who keep his morale up, and he is given the resources he needs to do this job well. As a SAP manager it is imperative to cultivate relationships with those who can (and want to!) help you and cheer you on along the way. It’s crucial to get upper-level buy-in so you can get the resources (ahem, budget or man-power) that you need.
No, none of this is easy or will happen overnight, but if you invest time in people, you’ll end up with people who will invest time in you and your SAP efforts. And while you may end up taking on the brunt of responsibility, you’ll find that having the support along the way makes it an easier cross to bear.
Stay tuned for Part 2 of the Harry Potter series!
Latest posts by Ashley Schwartau (see all)
- Here I Am: My Unexpected InfoSec Career Path - May 30, 2017
- Harry Potter and the Security Prophecy - May 4, 2017
- Use Gamification to Drive Engagement with Monthly Newsletters - January 12, 2017