Photo Credit: National Institutes of Health (NIH) via Compfight cc
Population immunity (or less flatteringly, “herd immunity”) occurs when most of the population become immune to a given disease, making it more difficult for the disease to take hold and spread widely enough to cause an outbreak. Achieving and maintaining population immunity against common diseases provides protection even for people who can’t become immune (i.e. be vaccinated) themselves, such as people with compromised immune systems.
Security training and awareness programmes must pursue exactly the same population immunity outcome.
The goals of an effective awareness programme should include changing the behaviour of staff not only to reduce their likelihood of falling victim to phishing, but so that the group mindset of acting securely affects their colleagues and their wider work (and ideally their personal) community. Awareness programmes can therefore provide “herd immunity” against low level phishing attacks, or against the common pressure to bypass security controls in the name of expediency.
Maintaining population immunity against disease is more difficult to achieve in the modern world due to globalisation and rapid population movements, which may introduce groups who have not been subject to the same vaccines – something which has a direct analogy in the workplace.
In the modern office, companies label 10-20% staff turnover per year as an acceptable level of change and temporary workers are commonplace in the office – often entire functions are outsourced to different companies and geographies. On top of those internal changes, today’s companies are often acquisitive and may integrate several new companies (and their associates workforces and cultures) into the corporate structure each year.
In order to cope with the constant pace of change and to make sure that next week’s college graduate or temp worker is ready to work in the same secure fashion as their new teammates, it’s vital that our awareness programmes don’t just address new staff with an e-learning package or a monthly email, but with a set of co-workers who are already role-modelling how to work securely within their team.
One of the key controls we’ve implemented is our Data Guardians scheme, in which we work with a handful of staff from each key team to ensure that we have trained, enthusiastic and engaged volunteers to report broken processes, provide security messages in their team meetings, and tell us what’s worked well (and what hasn’t!) in our awareness programme. We ask our Data Guardians to be role models for security with their colleagues, to make sure that if a new employee has a question or needs someone to turn to for advice, they know who they can approach; no matter how great our team are, we know that approaching a security team can be an imposing moment.
We may never achieve 100% immunity to common diseases across our national populations, and equally we have to accept that our awareness programmes aren’t going to work for every last employee. However, by aiming to engage and influence the majority of our staff through innovative content and localised role models within key teams, we can aim to achieve security population immunity – a nirvana in which we have strong engagement from the majority of staff, who default to secure working practices and exert their influence over the minority who may never be directly engaged with our message.