Security awareness is all about training and educating users. Strengthening the so-called ‘human firewall’ is a very powerful tool in the fight against cybercrime. Davina Luyten recently spoke with Katja Dörlemann, Awareness Specialist at SWITCH (the Swiss Research and Education network organisation), about awareness activities and main challenges.
How would you describe your role as Awareness Specialist at SWITCH?
Working in the field of security awareness is like building bridges between IT security and the rest of the world. Cybersecurity is everybody’s business! We all have to deal with it: no day goes by where we don’t have to enter a password. The security community struggles with building this connection and therefore we need people who translate this IT expert language to a language understandable by a broad public. As an awareness specialist in the SWITCH-CERT, I try to do that for our community: research institutions, universities, the Swiss internet community and also critical infrastructure organisations.
How do you raise awareness among your customers and end users?
First of all, we share expertise and knowledge and raise more ‘awareness for awareness’. That’s why we organise the SWITCH Security Awareness Day every year. We want to provide our community with a platform to exchange and connect with peers, gather new ideas and inspiration. We also travel around connecting internationally with other initiatives and experts, collecting knowledge and latest developments to share with our community.
Next to that, we provide support: we offer a security awareness workshop for organisations that want to start a programme. Together with an interdisciplinary team consisting of employees from IT security, communications, HR and finance, we define target groups, communication channels, pain points and formulate a broad plan incl. recommendations.
In order to offer something fun and a little bit special, we developed our SWITCH security awareness adventures, three security awareness training events based on game design. Organisations mostly use them to raise attention for their existing measures and get people engaged. It’s a mix between fun and learning and so far, we have had only really good experiences!
We also provide our community with content, that’s were iBarry comes into play. It’s an initiative from the Swiss Internet Security Alliance, of which SWITCH is one of the founding members. The iBarry platform targets the whole Swiss population. We are developing the content in the community: everything is creative commons allowing universities to use the content for their own internal awareness measures.
What are the main challenges and difficulties in your community?
Definitely lack of resources, both financially and in terms of people. Security itself already lacks resources and there’s even less time and budget for awareness. That’s a huge issue. For something that’s often considered to be the ‘biggest threat’, it seems very odd to have to fight constantly for more money and workforce.
On the other hand, there is a lack of expertise. Interdisciplinary expertise is needed to set up a security awareness programme. Most people who are responsible for awareness have a background in IT. But all of a sudden, they are confronted with training and education people which requires a great deal of communication expertise. The collaboration between those two disciplines (IT and communication) is not always easy – and both sides are to blame. On the one hand, IT (Security) experts might not find the right way to explain their needs. But on the other hand, it happens very often that communications departments do not consider “security” as one of their issues or something they could help with. However, they need to work together and collaborate to counteract the lack of resources and expertise.
Which advice would you give to organisations / NRENs that want to start with security awareness?
I would definitely recommend to invest some time in making a plan. Be clear on your motivation for security awareness measures: do you just want to tick the box in your compliance form or do you want to create impact? Then make a structured plan: who’s your target group? Do you want to target the whole company, admins only, management? What are your paint points? Passwords? Tailgating? Data classification? What are your communication opportunities? Are their newsletters? A blog on the intranet? A good spot for posters? Those are a lot of questions but it is worth thinking about them before you start. That is how you can define priorities, ask for specific support and be efficient.
The next step will be to get support: you’ll need to approach your comms or HR department, or whoever is responsible for e-learning. If you have some budget, you can also look for external support from a consultant, graphic designer or content developer for example. Last but not least: look for free content to use and exchange knowledge and experience with your peers.
Could you tell us something about the podcast “Security awareness insider”?
For every possible topic you can find experts, famous people or entertainers talking about it. Among podcasts evolving around politics, sports, psychology, crime or history there are also some putting the topic of information security in the spotlight. If you are working in security awareness there is not much in it for you though. Most podcasts on security cover the topic by inviting one phishing simulation provider. But as you know, there is so much more to it!
Our target audience are the people who work behind the scenes in security awareness, not the end users. We invite experts on related fields, as well as professionals, to talk about their security awareness programmes. We recently published the 10th episode, we’re a pretty good team and it’s a lot of fun!
If you want more information, check the websites below or contact the SWITCH Security Awareness team.
- SWITCH-CERT: https://www.switch.ch/security/
- SWITCH Security Awareness: https://swit.ch/security-awareness
- SWITCH Security Awareness Day: https://swit.ch/security-awareness-day
- SWITCH Security Awareness Adventures: https://swit.ch/security-awareness-adventures
- iBarry: https://ibarry.ch
- Podcast: https://www.securityawarenessinsider.ch/
- Article on podcast: https://securityblog.switch.ch/2021/07/13/one-more-podcast-security-awareness-insider/