In this present-day to day world of information technology, having a strong background in security education and awareness is very important, in fact, it may make the huge difference between an effective, productive individual and one who is the opponent. This simple and overly stated fact possibly will sound like a buzzword, but a quick look at incident records, such as the famous Target case, or the more recent WannaCry massive attack, will show that even with the best technology in place, if the human is not taken good care of, the levels of exposition to threats, and subsequent impact, is way higher than what most would call acceptable. · : In order to be effective, information security must be a corporate wide effort embraced over all hierarchical levels. Changing your corporate culture to adhere to the new security focus will be a much simpler task if people can understand and relate to the new controls and expected behaviour. For instance, while it may be frustrating to try changing your password and receiving a message stating it does not comply with complexity requirements, your users might be convinced by understanding that using 123456 or a2bc3d as a password is a security risk due to brute force or password guessing attacks. · : Having security-aware users does not always mean less incidents, but, since they will know what constitutes a security incident and how to report it, detection times will surely be significantly lower, meaning that a significant number of incidents might be prevented, and even the ones that occur will have a better response, and, consequently, a reduced impact. · : If your company falls under legislation such as Sarbanes-Oxley 404 or is interested in achieving a security standard like ISO 27001, an awareness program is essential. Your focus should be ensuring that users are aware of security policies, norms, risk, threats and expected behaviour, but awareness training will also provide extensive evidence of compliance efforts and the commitment of the upper management to information security. Regularly training and implementing a regular security awareness training program is crucial to ensure that youre doing your part to inspire and educate your employees to greater levels of security and awareness. The first step in a successful training program is having a culture of security at your organization, including buy-in from upper management. If the employees see managements focus on creating a secure work environment, that attitude will spread. 1. Are you required to wear badges while on the property? Are there appropriate identification and sign-in procedures at the front desk to monitor individuals who are coming in and out of the facility? Are these processes being followed every time? 2. Passwords should be at least 8 characters long and use a variety of upper and lowercase letters, numbers, and special characters. Default passwords should never be used, and passwords should never be shared. 3. Train your staff to be wary phishers and to know what to look for. Make sure they know not to open attachments in emails if they do not know the source. Encourage them to not send confidential information in response to an email claiming that urgent action is required. Test your employees, train your employees, and make sure youve created an environment where if in doubt, someone will ask before engaging in an email that may look suspicious. 4. Social engineering threats are threats based on human vulnerabilities. Its a way attacker manipulate people into giving away confidential information, password/ID combinations, or to gain unauthorized access to a facility. Train your employees to operate with a healthy amount of scepticism, and to never give out sensitive information without fully identifying the other person. 5. Malware, much like phishing, can enter your environment through non-malicious looking threats such as employees opening emails from unknown sources, using a USB drive that is infected, or going to websites that may be unsafe. Be sure employees are trained to be aware of these kinds of attacks, and practice identifying malware threats.
