Security experts speaking at Infosecurity Europe 2013 said that raising employees' awareness of cyber risks is a vital element of their incident response strategies, and urged firms to give staff incentives to learn security best practice.
Vicki Gavin, head of business continuity & information security at The Economist Group, told attendees that the media company has tried to use innovative techniques to boost staff awareness.
Further reading
£650m investment 'underlines importance' of UK cyber security, says Cabinet Office H4cked Off: Why austerity shouldn't apply to cyber security 'We're not winning the war on cyber crime,' MPs told
"Each individual is an extension to the security team and so we want to know what happens ideally before, or as soon as it happens. What we did is run a raffle, whereby in order to get a ticket, an employee had to forward on a phishing email, and for every phishing email they sent, they would get an additional ticket," she said.
"It forced people to internalise and see what makes an email a bad one. They had the opportunity to learn in a safe way... there have to be plans in place so that they are able to practice," she added.
Tracy Andrew, information security and compliance officer at law firm Field Fisher Waterhouse, agreed with Gavin, stating that there should be ways of making things like log monitoring less "boring", perhaps by incentivising people.
Andrew added that he helps to write a 24 page policy document which he deemed "terrible", but said that his goal was to turn that into a three page six sides policy.
"Having a policy is great, but if you want something better, draw a picture," he said.
"Straplines, posters and leaflets are more likely [to raise awareness] in the firm. Some people have to do mandatory health and safety training, and even though I think there should be data protection training [as mandatory], why not leave some of the data protection leaflets at the health and safety training, make them happy, snappy and quick and people are more likely to pay attention," he said.
Head of cyber security & response at HMRC, Edward Tucker, added that the human element of security was increasingly important and potentially costs firms the least amount of money.
"Traditional controls, signature based controls, and the human element gets you so far.... You've got to infuse intelligence with that and know your own environment," Tucker said.
"The awareness campaigns are the most important thing you'll do," he told delegates.
