As PLEX assesses the security programs of our clients, we’ve noted that one strong sign of a mature cybersecurity program includes provably effective technical controls managed by a continuously trained staff. IT and security departments are not alone in their need for proper training. The remainder of an organization’s staff (regular users) also need be aware of the threats they face as they are often the first contact in attempted attacks.
Security awareness is more than a PowerPoint presentation or a lengthy email. Security awareness is a culture. In general, cultures evolve from tradition, superstition, and of course tales passed down through generations. Here are a few tips to developing a security culture within your organization.
- No organization should expect security prowess from all its employees. However, each organization should prepare each employee to responsibly operate business systems in today’s increasingly hostile computing environments.
- Organizations convey this responsibility to their employees through frequent training with elements that engage and empower. Engagement comes from positive reinforcement in the form of reward mechanisms and team work, whereas team work is a function of healthy relationships between IT/Security and all other departments. Empowerment will emerge when staff learn they have tools available to them to contribute to the organization’s security that does not require them to become security experts. These tools include the knowledge needed to spot malicious emails and how to respond when someone asks for their password.
- Organizations should avoid training themes that portray the employee as the weak link, the cause, or helpless in the fight against cyber-attacks. These tactics discourage employee participation in the security culture within the organization and ultimately leave the organization more vulnerable.
Finally, security awareness enables companies to operate successfully in an environment full of consistent cyber-based attacks. Focusing on developing a security culture will empower employees to take action against attempted attacks. Coupling this culture with effective technical controls will keep your organization resilient and successful.
By Todd Cronin, Senior Penetration Tester at Solutions at PLEX