This is nice timing by guest blogger Morey Haber.
You probably know that it is National Cybersecurity Awareness Month. Well, Haber has ideas on creating the right cybersecurity culture across the company.
It goes well with this week's theme: "Cybersecurity in the Workplace Is Everyone's Business." Read his article and see if you agree.
One of my favorite spam emails are from cybersecurity companies soliciting security awareness training for your employees.
Think about it. You are receiving spam email, potentially a phishing attack, from a company offering services on how not to fall for a fraudulent email scam.
Seems kind of counter intuitive—much like Equifax offering credit monitoring services. Yes, I went there, but my point is really around security awareness, not taking jabs at email solicitations businesses use to market their services or communicate trends in the marketplace.
Security awareness is much more than training, knowledge, and attentiveness. It becomes a culture in your business, a part of your everyday lives, and is much more than identifying the latest phishing email.
Security awareness is not a paranoia, but can be looked at in the extremes if misunderstood. This was certainly the case when Yahoo labeled its security professionals the “Paranoids.”
Security awareness does require education, but it also requires intelligence. When to respond and when to correctly ignore a situation.
If every event, alarm, and situation becomes a problem, security awareness is no different than extreme paranoia. This can take on many forms, from cybersecurity to physical access. It can be overly dramatized by requiring all visitors to register their laptops (now mobile phones, tablets, or even USB keys) upon security check-in to a building as a visitor but denying them even guest access to the internet or corporate network in any form.
Security awareness needs a causal relationship of action, threat, and outcome, not just a blanket statement of denial, or do not do.
This is how we take basic education and training past guidelines to intelligence and attentiveness. Knowing why it is a problem versus just following the mandate. Therefore, when we consider security awareness education, we need to consider the following factors in our corporate training:
In the end, security awareness means you comprehend that there is the risk for individuals to deliberately or accidentally steal, damage, or misuse the information or assets prized by an organization.
Raising awareness can come in many forms—from education to cultural changes—but in the end, it must be a part of daily business in order to be effective.
Just stating that “we have done our annual security awareness training” is simply not enough. Any good executive understands the importance of measuring the business.
I would encourage all teams to measure the effectiveness of security awareness training, policies, and procedures via penetration tests and role playing. This could even include basics such as online-based situational tests that are required for all users to participate to confirm basic knowledge transfer.
Therefore, security awareness should be viewed as a key business enabler, not just a policy and rules restricting the business.
If anything, it could end up saving your business.
For the latest cybersecurity news, follow SecureWorld on LinkedIn, Twitter, or Facebook.