Before we can talk about the importance, we must understand: What do we mean by Security Awareness?
The first things that come to mind are probably things like email encryption, strong passwords, avoiding data breaches, avoiding malware, following company policy, etc. We can all probably agree that security awareness is many things.
But there are also a lot of things that it is NOT. People think that security awareness is technical, or too complicated for them to understand, or something that doesn’t apply to them in their job or personal lives. These people are wrong!
Security awareness is NOT just technical controls. Security awareness is NOT complicated (it usually comes down to common sense). And security awareness applies to everyone who ever uses the internet regardless of industry or job function.
So now that we know what security awareness is NOT, we come back to the original question: what IS security awareness?
It’s exactly what it sounds like: a general awareness about all things security related. Being aware about security. Thinking before you click.
It’s pausing before you act. It’s taking a moment to reflect – is this really an email from my bank? Did I really win a lottery I didn’t enter? It’s common sense. Everything from making strong, complex passwords and recognizing phishing emails to thinking that delivery person doesn’t look quite as official as they are acting – and not being afraid to confront a potential situation.
We must reiterate: Security Awareness is not any one thing. It’s cyber. physical. people. Security Awareness is not just something we do at work. It’s for work, home and on your phone / travel. And perhaps most importantly: Security Awareness is NOT an end goal. It is not something that we achieve. It’s not like we suddenly become security aware and can wipe our hands of it. “Oh well I’m security aware now. I’m good to go.”
Security Awareness is a mindset. A lifestyle. It’s something you do every single day.
Think about it in terms of healthy living and fitness. Even though exercise makes you cringe, and health food doesn’t taste as good as candy, you are aware of the consequences of unhealthy choices and aware of the results of healthy choices. (Heck, you might even sometimes really enjoy working out!) This is how you need to feel about Security Awareness. Security Awareness is just like Health Living and Fitness. It is something that we must incorporate into our daily lives.
But whyyyyyyyyyy, you ask again.
Why do we take care of our bodies? We want to live longer, we want to be able to go on trips when we’re 80. Or maybe you just really like the taste of cake but don’t want to pack on the pounds.
What are the reasons we should be security aware? To avoid ID theft. To protect the integrity of the organizations’ networks and therefore the reputation of the organization. We don’t want our mobile devices stolen because then we’ll lose all our cat photos. We don’t want bad guys taking what little money we do have. We want to use online banking without worry. There are lots of reasons in all three areas of our lives – personal, professional, mobile.
So if you ever think ‘ug more awareness training, why do I have to do this?’, just remember: Security Awareness training is eating your vegetables so that you get all the vitamins you need. Security Awareness training is drinking your water so that you can also have wine. Security Awareness training is doing your cardio so you can enjoy some cake.
Many organizations try to do crash diets – implementing a bunch of reactive training because they got hacked, or trying to check all of the compliance boxes because they’re about to be audited. But we all know the effectiveness of crash diets – they don’t work. So don’t make your organization diet. Implement a lifestyle change instead. Encourage your users to use unique passwords for every account so they can use the cloud with less worry. Encourage them to stop posting so much personal information on social media so they can stay in touch with their friends and not get hacked. Encourage them to follow work policy so they can do their job without interruption.
At the end of the day, Security Awareness lets us live safer, fuller, more integrated lives. It allows us to stay connected with our family and friends without worrying about the bad guys, it allows us to use all of the cool cloud services we have come to rely on – online banking, Amazon, Netflix, Paypal, AirBNB – and it allows us to do our jobs in a safe way that protects our clients, and maintains the integrity and reputation of the place we work.
If we all make a concerted effort to be more security aware and make it a part of our daily lives, we can protect everyone at work and at home, and make the internet a safer place for us all.
Ashley Schwartau is the Creative Director at The Security Awareness Company, leading the production team and handling client projects. Having grown up in the family business, she has worked in the security industry pretty much her entire life and is very passionate about security awareness. She’s the creator of the 2008 documentary Hackers Are People Too, and often writes content for this blog. She lives in Nashville with her husband and two cats. You can reach her at firstname.lastname@example.org or on twitter @ashleyschwartau.
Latest posts by Ashley Schwartau (see all)
- Here I Am: My Unexpected InfoSec Career Path - May 30, 2017
- Harry Potter and the Security Prophecy - May 4, 2017
- Use Gamification to Drive Engagement with Newsletters - January 12, 2017