Organizations often spend money on security technology or services and then find that these initiatives fail to achieve their objectives because front line employees or senior management do not support them. Don’t forget that all your security measures and expensive security hardware are not effective if you have an “uninformed” employee.
Security awareness is vital at all levels of an organization. Implementing appropriate measures to create that awareness among all employees will lead to the desired behavior in relevant-security situations. Educating employees about security threats and cyber-attacks should not be considered a waste of money, but rather an investment in mitigating threats. Also, it is prudent that employees know whom to contact and what procedures to take in case they suspect a hacking attempt or any other threat.
Security awareness and training both play a role in an incident response [1a] so that the person whose primary roles fall outside of information security knows who and where to call for various levels of incidents. Without timely reporting to the right people, it will be much more difficult to mitigate the risk of a security breach causing harm to your organization. It will help all personnel recognize threats [1b], see security as beneficial enough to make it a habit at work and home, and feel comfortable reporting potential security issues. This group of users should be aware of the sensitivity of protected data, even if their day-to-day responsibilities do not involve working with it.
Education, Training, and Awareness
Learning is a continuum (Figure 1); it starts with awareness, builds to training, and evolves into education. The continuum is further described in the National Institute of Standards and Technology (NIST) SP800-50 which is titled "Building an Information Technology Security Awareness and Training Program" .
To change the security culture of your organization, your staff must be more than just aware they must participate in the act of learning. Awareness of a topic is when a learner passively receives information from instruction, whereas training is a more active process with established goals, the understanding of learning objectives, and an expected change in behaviors. Training of a learner involves building essential knowledge and developing skills they will use when faced with specific scenarios.
The program should be aligned with the overall business strategy, adaptive to changing threats.
National Institute of Standards and Technology (NIST)
Security awareness is addressed very differently within regulations and standards. An analysis and differentiation of the regulations and standards can be beneficial to meet compliance requirements more efficiently. A company should be aware of which regulations are relevant and applicable. In general, applicability depends heavily on the business, which means organizations are often affected by different requirements at the same time. The NIST standard can help you design or update your internal security awareness programs.
The NIST publishes many different standards . In the standard 800-533 (Security and Privacy Controls for Federal Information Systems and Organizations) security awareness is addressed in the form of four relevant controls (AWARENESS AND TRAINING CONTROLS - AT) which are :
Components of a Program
The Adaptive Awareness Framework designed by MediaPro [5a] [5b] which is tightly aligned to the NIST Cybersecurity Framework , offers businesses an actionable and measurable way to introduce better security awareness into organizations (Figure 2).
Best Practice to Build Security Awareness Program
The end goal of a security awareness program is to produce professionals capable of vision and proactive response (Figure 3). This list of security awareness best practices will help you improve the effectiveness and comprehensiveness of your program :
The ability of attackers to manipulate the human element in the organization is one of the best ways to gain access to an organization that has invested heavily in technical controls but has not invested enough on employee training and awareness.
Without comprehensive education, user-based attacks , such as social engineering, will be a significant source of risk for an organization. In addition to teaching users about the inherent risks of using technology, it is essential to educate them on the policies and procedures required for them to operate safely within the organization's systems. Training should also take into account the types of access and roles that employees have.
If you found this article to be helpful, please do click the Thumbs-Up icon below. This lets me know what is valuable for EE members and provides direction for future articles.