We don’t let people drive cars without knowing the safety rules and passing a test that proves their knowledge. So why do we let them use computers without first demonstrating that they know how to safely navigate the three domains of security and protect our company assets?
Security awareness is usually at the bottom of most people’s To Do lists. It’s boring. It’s repetitive. It can be costly and time consuming. And most people think they already “know” it. But here’s the thing: they don’t.
Educating users and making them security aware is one of the most worthwhile ways you can spend your money. Think of how much you’d lose if one of them accidentally infected your network with a Trojan, and maybe they had forgotten to backup recently and not only did the Trojan manage to wipe everything on the network drives, but also install a keylogger that snatched up everyone’s passwords, that no one had bothered to change in the last three months.
Would you let someone drive your car if they hadn’t read the drivers manual and sped past all traffic signs without so much as a glance? Too many users are doing just that, putting their companies at risk, clicking on links, giving away confidential information, responding to phishing emails, storing their passwords in unsecured location. Isn’t it worth it to help spread the awareness, and bring security into the forefront of everyone’s minds?
1. Think of the Triad
A lot of folks think ‘security’ = ‘technology’, but the thing is security usually comes down to the people, how people use technology and they physical steps people take to secure or break down a barrier. By talking about all three domains in the security triad – Cyber, Physical and Human – you can foster a more well-rounded understanding of the problem and find better solutions.
2. Make Work Personal
Users will care more about protecting the confidential data on your networks if you make your awareness training fun and personal. Relate it back to protecting the kids or maintaining their private data, such as medical records. Teach them how to secure their personal lives and they’ll better understand the risks at work.
3. Real Life Social Engineering Tests
Once a month or once a quarter, stage a real life social engineering test. Pretend to be a delivery guy or a repair man and see what information you can swindle out of the employees. Maybe you call the IT department to finagle someone’s passwords out of one of the admins. Doing tests like these will show you where your weakness are and where your awareness education needs to focus. Publishing the results might also make everyone aware of their mistakes and put them more on guard.
4. Frequent, Short Reminders
We live in an ADHD world. No one has the attention span to read a policy book front to back (did you?). But people are used to watching short, 3-minute-or-less YouTube clips, and reading quick 1-page-or-less blurbs in magazines. Every month, pick a topic (phishing, social engineering, passwords, backup) and create short newsletters and/or videos on that topic, distributing them at the same time, every month. The regular (but not annoyingly frequent) reminders will bring security to the forefront of everyone’s minds.
I certainly wouldn’t want to be in a car with someone who didn’t know what a Yield Sign meant, and I most assuredly would not want someone working for me who just clicks on every unknown link in emails they receive.
Educate your users and protect your networks. By forgoing security awareness education, you’re risking a lot more than a speeding ticket.
Latest posts by Ashley Schwartau (see all)
- Here I Am: My Unexpected InfoSec Career Path - May 30, 2017
- Harry Potter and the Security Prophecy - May 4, 2017
- Use Gamification to Drive Engagement with Newsletters - January 12, 2017