As the name implies, security awareness is the company-wide immediate knowledge about real and potential security threats. Think of it as street smarts for using computers. The objective is to cultivate healthy skepticism about the realities of what is safe and what is not in your day-to-day computer use.
In an optimal situation, employees develop this healthy skepticism about the information they receive or see, be it an email attachment or small changes in the way their computers are behaving. Often, something that looks weird can be an indication of a security issue. Signs can be subtle and not subtle. If you have a bright screen with a skull and crossbones, that’s a pretty clear indication that you have a problem on your hands. Or, you could run across a website that loads all kinds of screens and popups. You might then receive a message that your computer has been compromised with a demand that you get in touch with them or be prosecuted.
Security awareness is like a muscle and it needs regular exercise and information about best practices, including ways to avoid being trapped by scams. Your security awareness must also be monitored through ongoing evaluation and/or tests. The Machiavellian white hats in your IT department can send emails specifically crafted to look legitimate but containing subtle and important clues that the message might not be what it appears to be. People who click or fall for the rogue emails need further security training. Cultivating a healthy sense of vigilance is critical.
Security awareness training is most often provided by your IT department and/or your IT services partner. There are also a number of companies that specialize in security awareness training and craft special educational content and follow-up tests.
Security awareness is typically delivered through online self-serve learning. However, it can also be provided in a classroom setting or via visual aids posted throughout the workplace. As with most education programs, a frequent touch is important. It is essential to provide security awareness at a moderate frequency but also to ensure there are ongoing updates about new types of vulnerabilities.
Security awareness campaigns need appropriate context. We suggest that security awareness campaigns be augmented by biweekly emails with security awareness information such as:
"Passwords are a bit like toothbrushes. Never share one. Pick a good one. Change it every once in a while."
Security breaches are most commonly installed onto a computer through emails that send users to a malicious website. These emails typically portray the sender as a “boss” or a “client,” which automatically instills a level of trust in the recipient, making the recipient more vulnerable to acting impulsively. Perhaps no one has explained to them that they can right-click on a link to see where it goes to, or maybe it just didn’t occur to them to check. After all, they have been lured into a false sense of security, and without a second thought, clicked on a malicious link. Email in its inherent format is not secure. It travels over the Internet as plain text.
Social engineering is the approach that black hats use to gain access to your system. The idea behind social engineering is it’s easier to get a user to willingly provide access to their system, than it is to get past security systems. Rather than circumvent the protective systems that are in place, social engineering tries to trick victims into opening their "doors" so they can just walk right in. There are numerous forms of social engineering, from an email from a client or coworker to someone with something to sell over the phone. Sometimes it can even be someone who poses as a coworker or plumber and gains physical access to private spaces.
You often don’t realize how much personal information you put out into the world over social media. People often think that because their profile is private that they are safe but that is not the case. How many friend requests do you accept from people you don’t really know? Little do you realize, all those friends in common accepted the invite with that same misguided assumption. Once they’re in, they’re in, and now they not only have access to your personal information—but also a way to connect with your friend list.
LinkedIn and other business networking social media platforms add an extra layer of danger, as they provide an informative and detailed rundown of not only where you work, but your co-workers as well. Anyone with an account can easily research a company’s staff and network—including finding the newest and more inexperienced staff to target—and use that insider information to make an attack.
Entering a malware-infected website isn’t always the result of clicking on a bad link. It can also be done by typing a bad link. Domain names that resemble some of the biggest and most commonly visited websites are often purchased by spammers and hackers with the hope that you accidentally type in something like Netfliks or Googlle and before you know it, you have been directed to a bad website. Even the most trusted website can be hosting links to dangerous websites. They sell their space for ads, but they have no responsibility to ensure its safety.
Have you noticed how when you are prompted to create a new password that it requires a lot more effort than it did in the past. At least one capital letter, one symbol, two numbers, etc. Well, that’s because for years and years, people would often use the same generic passwords for almost all of their online accounts, and it made hacking their accounts a walk-in-the-park for most spammers and criminals. Changing up your passwords every now and again and using different ones for different accounts is highly recommended.
Everyone on your staff should have a basic knowledge of what ransomware is and be up to date on the most common and/or recent viruses and malware.
Phishing tests are ongoing testing done by white hats—your IT department or IT security services partner. They send specially crafted emails to your staff designed to trick them to clicking on links or providing information in response. The number of people who respond are tracked to provide a metric on the security awareness in your organization.
Test your team's knowledge of security awareness before and after the training. This will allow you to make certain that your training was effective. It will also show you who needs extra security awareness training.
Having an educated workforce is the best way to ensure your cybersecurity. Running ongoing security awareness campaigns is the best way to make this happen.