NEWPORT, R.I.—The Pell Center hosted a cybersecurity awareness seminar on April 22 in collaboration with New England’s premier electricity and gas utility company, National Grid, as part of its ongoing Rhode Island Corporate Cybersecurity Initiative. This particular seminar focused on how effective security strategies within a company—not merely cybersecurity awareness—can help bolster overall cybersecurity by changing internal culture and attitudes towards cyber threats. In other words, companies from start-ups to the S&P 500 should focus on policies that create a vigilant and cyber-aware workforce.
Why is cybersecurity awareness important?
As Francesca Spidalieri, the Pell Center’s Fellow for Cyber Leadership, has said, “Unfortunately, cybersecurity awareness programs are often overlooked by organizations with a common attitude that no matter how bad cyber threats are, they won’t be a victim because they are too small, not as profitable, not part of a critical sector, already well-protected, and so forth.” Cybersecurity issues, however, often trace their origins to ordinary technology users within a company who have not received the adequate training, do not take security seriously, and prize convenience over security. The end result is that a whole range of companies ends up sidestepping basic standards of cybersecurity best practices, placing their business and their customers’ data at risk. Even worse, companies may face cyber threats by disgruntled employees who have trusted access to sensitive systems and information, and who exploit know vulnerabilities. “A preponderance of reported breaches,” Spidalieri continued, “are a direct result of intentional or unintentional failure to follow simple security practices or are the consequence of the malicious actions of an insider threat.”
A Cultural Safety Change at National Grid
As we move toward increasingly interconnected and modernized network systems, as is happening in the energy sector with Smart Grid, the potential for wide-scale impact creates a more attractive target for cyber attackers, who can either disrupt service or compromise data bases and data transmissions for financial gain. National Grid has made cybersecurity awareness programs a core component of its security posture. During the seminar, National Grid’s Business Information Lead, Mr. Thomas McMahon, provided the group of senior leaders gathered at the Pell Center with an overview of the security awareness programs that his company has developed and implemented over the course of the last seven years to foster a cyber-aware culture throughout the entire organization. After a series of physical incidents due to the hazardous nature of their work, National Grid realized that just making its employees more aware of the physical and cyber-related risks and dangers inherent to their industry was insufficient, and that an overall cultural safety change was necessary to drive people to act on that awareness and modify their attitude and behavior toward security. In particular, they recognized that cyber risks pose one of the biggest threats to the confidentiality, integrity, and availability of their key assets, and that an effective cybersecurity strategy must involve the entire business in a holistic manner. “Cybersecurity is very similar to physical security,” Mr. McMahon said. “Safety is everyone’s responsibility, and all employees should take ownership of their company’s cybersecurity.”
National Grid’s Global Security Awareness Campaign
National Grid first partnered with the University College of London (UCL) to assess the current behavior and attitude of their employees toward cybersecurity (“measure the security culture”), and then developed a series of cybersecurity awareness activities and training to improve the culture throughout all levels and business areas. The results of the initial assessments showed that National Grid’s workforce already had a good general awareness of cyber risks to business, but lacked a deeper understanding of specific cybersecurity best practices and the risks involved, and indicated a perceived pressure to prioritize main business tasks over security. With this information in mind, National Grid had to better explain “why” policies exist, clarify the acceptance of prioritizing tasks over security, create action when promoting awareness, and then utilize different methods for training to reach the entire workforce. One of the most successful tools of the Global Security Awareness Campaign they launched, was the creation of an interactive character, SAM (Security Action Machine), included in all videos, posters, and brochures aimed at educating employees on information security, data privacy, and physical security. The animated videos helped communicate key messages and acted as a useful guide to provide help in security-related matters. Shown at team meetings to all levels of staff, the engaging delivery method assists in creating awareness, delivering a consistent message, and assuring the success of this campaign.
A specific “Security Knowledge Zone” web page, on which the animation is housed, was also created to provide additional information, best practices, useful tips and tools to “stay secure, protected, and safe” online both at home and at work. In addition, SAM has a Yammer page and a SendWordNow account to share current cybersecurity information and tips.
Today, National Grid continues to measure the results and progress of existing awareness activities, update its training programs and the correspondent videos, posters, and brochures, and host open houses and meetings to engage all employees and create an even more vigilant and cyber-aware workforce. “It’s a constant process,” said Mr. McMahon.
For more information on National Grid’s Global Security Awareness Campaign or the Pell Center’s RI Corporate Cybersecurity Initiative, contact Francesca Spidalieri.