A truly security aware employee….

1. Knows, understands and follows policy to the letter.

Policy exists for a reason: to protect company networks and data. Think about policy like the brakes on a car. The brakes are there not to make you stop but rather to allow you to go fast! Policies are designed to let you do your job as best as you can while still keeping the data and networks secure.

2. Reports (potential) security incidents.

Security aware employees are not tattle tales but rather look-outs for any potential situation that could cause problems for the organization. This is everything from an unknown person on the premises without identification, to a usually locked door that is sitting wide open. A potential security incident doesn’t have to be dire – like if you actually clicked on a phishing link and now your computer is infected with ransomware – and in fact, that’s why we call them “potential” security incidents; because they are not yet incidents. If you think you may have seen, done or overheard something that could potentially maybe one day become a problem, tell someone now.

3. Stays alert and aware at work, at home and on mobile devices in all three domains.

We tend to forget that security is not just about the cyber world. Phishing emails and malware are huge threats but there are two other domains – physical and people. Social engineers call on the phone, discarded hard copies of sensitive data could be stolen, sensitive conversations could be overheard, mobile devices could be lost…. We must be alert for potential security incidents in all three domains.

4. Keeps up to date with security news, improving their security posture regularly.

The only way to avoid security risks is to know what to look out for, and the only way to know what threats we must be on the look out for is to read the news and know what’s going on in the security world. What tactics are criminal hackers using now? What caused the most recent data breach? What kind of malware should my software be detecting? Following security news outlets (like our blog and Twitter feed) will keep you in the know and make you a more informed digital citizen.

5. Asks questions when they aren’t sure about something.

There’s no such thing as a dumb question. Your managers and bosses won’t mind if you need to clarify something in policy or ask who you should report security incidents to. They would rather you ask when you don’t know than you stay quiet and passive. Asking questions shows that you are engaged and care about the security of the organization.

Ashley Schwartau

Director of Production & Creative Development at SAC
After more than 15 years of working in this industry, she’s finally accepted – and embraced! – the fact that she’s a security awareness expert. She is also a book-loving, travel-blogging, French-speaking Gryffindor who is unapologetically obsessed with her cats.