What is security awareness
Security Awareness Campaigns – 5 min read

What is security awareness?

 

1. About Security Awareness

 

As the name implies, security awareness is the company-wide immediate knowledge about real and potential security threats. Think of it as street smarts for using computers. The objective is to cultivate healthy skepticism about the realities of what is safe and what is not in your day-to-day computer use.

 

In an optimal situation, employees develop this healthy skepticism about the information they receive or see, be it an email attachment or small changes in the way their computers are behaving. Often, something that looks weird can be an indication of a security issue. Signs can be subtle and not subtle. If you have a bright screen with a skull and crossbones, that’s a pretty clear indication that you have a problem on your hands. Or, you could run across a website that loads all kinds of screens and popups. You might then receive a message that your computer has been compromised with a demand that you get in touch with them or be prosecuted.

 

Security awareness is like a muscle and it needs regular exercise and information about best practices, including ways to avoid being trapped by scams. Your security awareness must also be monitored through ongoing evaluation and/or tests. The Machiavellian white hats in your IT department can send emails specifically crafted to look legitimate but containing subtle and important clues that the message might not be what it appears to be. People who click or fall for the rogue emails need further security training. Cultivating a healthy sense of vigilance is critical.



2. Who should provide security awareness training?

 

Security awareness training is most often provided by your IT department and/or your IT services partner. There are also a number of companies that specialize in security awareness training and craft special educational content and follow-up tests.



3. How is security awareness training usually provided?

 

Security awareness is typically delivered through online self-serve learning. However, it can also be provided in a classroom setting or via visual aids posted throughout the workplace. As with most education programs, a frequent touch is important. It is essential to provide security awareness at a moderate frequency but also to ensure there are ongoing updates about new types of vulnerabilities.

 

Security awareness campaigns need appropriate context. We suggest that security awareness campaigns be augmented by biweekly emails with security awareness information such as:

 

"Passwords are a bit like toothbrushes. Never share one. Pick a good one. Change it every once in a while."



4. Topics Covered in Security Awareness Training or Campaigns


Email Threats


Security breaches are most commonly installed onto a computer through emails that send users to a malicious website. These emails typically portray the sender as a “boss” or a “client,” which automatically instills a level of trust in the recipient, making the recipient more vulnerable to acting impulsively. Perhaps no one has explained to them that they can right-click on a link to see where it goes to, or maybe it just didn’t occur to them to check. After all, they have been lured into a false sense of security, and without a second thought, clicked on a malicious link. Email in its inherent format is not secure. It travels over the Internet as plain text.



Social Engineering


Social engineering is the approach that black hats use to gain access to your system. The idea behind social engineering is it’s easier to get a user to willingly provide access to their system, than it is to get past security systems. Rather than circumvent the protective systems that are in place, social engineering tries to trick victims into opening their "doors" so they can just walk right in. There are numerous forms of social engineering, from an email from a client or coworker to someone with something to sell over the phone. Sometimes it can even be someone who poses as a coworker or plumber and gains physical access to private spaces.



Social Media Threats


You often don’t realize how much personal information you put out into the world over social media. People often think that because their profile is private that they are safe but that is not the case. How many friend requests do you accept from people you don’t really know? Little do you realize, all those friends in common accepted the invite with that same misguided assumption. Once they’re in, they’re in, and now they not only have access to your personal information—but also a way to connect with your friend list.



LinkedIn and other business networking social media platforms add an extra layer of danger, as they provide an informative and detailed rundown of not only where you work, but your co-workers as well. Anyone with an account can easily research a company’s staff and networkincluding finding the newest and more inexperienced staff to targetand use that insider information to make an attack.


Website Threats


Entering a malware-infected website isn’t always the result of clicking on a bad link. It can also be done by typing a bad link. Domain names that resemble some of the biggest and most commonly visited websites are often purchased by spammers and hackers with the hope that you accidentally type in something like Netfliks or Googlle and before you know it, you have been directed to a bad website. Even the most trusted website can be hosting links to dangerous websites. They sell their space for ads, but they have no responsibility to ensure its safety.



Password Management


Have you noticed how when you are prompted to create a new password that it requires a lot more effort than it did in the past. At least one capital letter, one symbol, two numbers, etc. Well, that’s because for years and years, people would often use the same generic passwords for almost all of their online accounts, and it made hacking their accounts a walk-in-the-park for most spammers and criminals. Changing up your passwords every now and again and using different ones for different accounts is highly recommended.


Ransomware, Viruses, and Malware


Everyone on your staff should have a basic knowledge of what ransomware is and be up to date on the most common and/or recent viruses and malware.



Be Sure to Measure the Effectiveness of Your Security Awareness Training


Phishing Tests


Phishing tests are ongoing testing done by white hatsyour IT department or IT security services partner. They send specially crafted emails to your staff designed to trick them to clicking on links or providing information in response. The number of people who respond are tracked to provide a metric on the security awareness in your organization.


Before and After Tests


Test your team's knowledge of security awareness before and after the training. This will allow you to make certain that your training was effective. It will also show you who needs extra security awareness training.



Having an educated workforce is the best way to ensure your cybersecurity. Running ongoing security awareness campaigns is the best way to make this happen.

 

Learn about your IT security. Register for a free cybersecurity consultation.  Book Now Considering moving to the cloud? Find out if the cloud is right for your  company.Book Now
Guide to Email Security from our Practice Safe Cyber Series Download Your Poster
Global Toronto and CreateTO City of Toronto Agencies Case Study
Learn about your IT security. Register for a free cybersecurity consultation.  Book Now
Guide to Ransomware Attacks in Canada
Considering moving to the cloud? Find out if the cloud is right for your  company.Book Now
New IT Infrastructure Transforms Organization. KCI Ketchum Canada
Engage our services and get 10 hours free. It's easy to work with CITI. Become  a client.Book Appointment

IT Insights from our Blog

Read more

We're here to help!

Moving to the Cloud
Cybersecurity

Is your management team asking about your IT security policies and practices? Are you worried about a cybersecurity breach? CITI’s comprehensive IT security services provide all the information your company needs to deal with current and future security situations and concerns. Learn about your IT security. Register for a free cybersecurity session.

Managed Services

There is another way to manage your IT that doesn’t require you call your IT firm. Managed IT services offer proactive care, support, monitoring and maintenance of your computer systems for a fixed monthly fee. Process-driven, less involvement, more predictable cost. Yes, Virginia, there is a way to keep your IT running smoothly that does not require you to make a call.

Pay-As-You-Go

Are you concerned about minimizing IT maintenance costs? Perhaps you’re techno savvy. Or maybe you only need an IT firm for complex IT situations. CITI can provide exactly the volume of IT services that you want and need from network troubleshooting to helping a user with a jammed printer. Our full range of services are available on a per incident basis.

Disaster Recovery

Is the stuff of your nightmares power outages? The only way to deal with a severe interruption to business operations is to plan for it. Beginning with a disaster recovery plan through implementing and maintaining failsafe, foolproof, rock-solid offsite backups, CITI has helped 100s of companies protect their most valuable asset—their data and systems.

IT Consulting

Uncertain if your company should move to the cloud? Do you have doubts about the best way to back up your data? Looking for ways to minimize your vulnerability to IT security breaches? Perhaps you’re looking for help with your annual IT budget. CITI’s IT advisory services help businesses make informed strategic and tactical decisions on information technology.

Call Us