Security teams should stop treating users as the weakest link in security and, instead, turn them into allies in building a strong security culture. This was the message from Shelly Epps, HCISPP, Director of Security Program Management at Duke Health, who delivered a presentation this week at the (ISC)² SECURE North America virtual event.
“If you are relying upon users for your security, you’ve effectively already failed,” she said. Instead, organizations need to develop comprehensive, multidimensional programs that keep users engaged.
Traditionally, Epps said, organizations have built security programs around compliance obligations and PowerPoint-based lists. Programs tended to be punitive, turning the cybersecurity staff into the bad guys, when a rewards-based approach is better.
Developing the right culture requires empowering people by helping them internalize the need for security and understand their own role in security, she said. It helps to instill a hive mentality with everyone “working together working for the greater good.” And Duke Health has sought to accomplish this with a series of awareness initiatives, including phishing simulations, short, easily digestible videos, the launch of a virtual security academy, and an ambassador program.
New Direction
Starting in 2020, Duke Health embarked on a new approach to security training and awareness. In February, the company did a phishing simulation using what Epps called the “ugliest Valentine’s Day phish.”
Users were sent an e-card that required them to click a link to see the card. “It was very similar to how e-cards work. I though e-cards were kind of done at that point,” Epps said.
As it turned out, e-cards still appealed to recipients. “We had a very concerning c ..
Support the originator by clicking the read the rest link below.
