One of the reasons I enjoy teaching and writing blog posts is to share with you my past mistakes so that you hopefully don’t have to suffer through the consequences of those mistakes as I did. One such mistake I made early in my career was undervaluing the importance of a good security awareness program. I often viewed security awareness programs as a compliance checkbox that provided little value to my company’s risk posture. Man was I wrong!
Why is a security awareness program so important? Primarily, it’s because cyber attackers, whether they are advanced, well-funded nation states, or the bored teenager living in the basement, continue to target the individual computer user to gain entry into our networks. Phishing emails continue to be the adversaries’ tool de jure. Why is this? Because they have an extremely high rate of success, the cost to the attacker is low, and these attacks cut right through the most fortified of networks. Your security awareness program should turn each computer user into a human sensor. Once properly trained and tested, these human sensors will be able to identify a phishing email and report it to the information security team for further analysis and response. The information security team can in turn use this information to derive and feed threat intelligence into other sensors and security devices. For example, the single phishing email reported by one user may be part of a much larger campaign by a persistent attacker. Now, with this knowledge, additional controls can be implemented.
A good security awareness program is also an excellent opportunity for the security team to connect with executives and the leaders of individual business units and demonstrate a true return on their investment. Oftentimes, investments in information security programs are seen purely as a cost to the business or a diversion of much needed capital from other, more profitable business lines. Security awareness programs can break this misconception by making security personal to the executive and business and by giving them confidence in your team’s abilities.
Recently, my security awareness programs have not been a mere after thought or compliance requirement, but rather the cornerstone of my overall security program. These programs target users during all of their employment stages, from pre-employment through off boarding. Users are provided with training that is relevant, timely, and recurring. Users are also tested with phishing simulations to ensure that they understand the material and are responding appropriately. Also, I personally train every executive in my company. This allows me time to connect one-on-one with my company’s business leaders and drive home the value of our security program.
I hope the New Year treats you well, and you learn from my past mistake and invest appropriately in developing a great security awareness program.
Want to learn more about information assurance? Request more information or call 877-820-0581 today!