Are We Really the Weakest Link?
If you browse the headlines you're bound to come across one of the latest studies speaking to the evils of insider threat, user incompetence or password insecurity. “Users are the biggest threat”, “if it weren't for employees we wouldn't have data breaches”, staff is unintentionally releasing malicious software across the network and it’s roaming the virtual enterprise and on and on... Clearly we are at a paradox. We struggle to remove the freedom of choice down the path of a “wrong decision” being made, with enabling our employees to do their jobs.
Security Awareness
According to the European Network and Information Security Agency, awareness of the risks and available safeguards is the first line of defense for the security of information systems and networks. Users or employees can sometimes be our first, last or only line of defense against the criminals which would rob our enterprise of its intellectual property, customer data, credit card numbers and other sensitive information.
Security Evolution
Security Awareness is just as important to a information security program as are the policies, procedures and products we put in place to mitigate overall enterprise risk. The only difference is, security awareness isn't the shining new toy or the newest silver bullet to save the technoverse. Security Awareness has to focus on helping to evolve a shift in the attitude and behavioral patterns of employees. This will promote a positive cultural change within an organization.
Security Success Factors
Best practices around creating Security Awareness programs focus on building and implementing Security Awareness, sustaining Security Awareness and by measuring the overall program to ensure effectiveness. This can be done through a variety of techniques. For example, phishing exercises, group and or individual training.
There are many resources available; finding what works for your corporate culture is critical. Ultimately try different ideas, approaches and methods.
In the world of security awareness one size does not fit all.
@archangelnikk
And from my friends at AwareGO in Iceland, a great video on the dangers of using what may appear to be "public" WiFi...
Some great resources:
National Institute of Standards and Technology (NIST) Special Publication 800-50, Building an Information Technology Security Awareness and Training Program, www.nist.gov
International Standards Organization (ISO) 27002:2013, Information technology -- Security techniques -- Code of practice for information security controls, www.iso.org
COBIT 5 Appendix F.2, Detailed Guidance: Services, Infrastructure and Applications Enabler, Security Awareness, www.isaca.org/cobit
Owner, Compass Solutions LLC
9 年Nikk, one of the more important but less observed practice that I've notice in the Cyber Security posture in many organizations is lack of continuous proactivity. Often times they're willing to be "sitting ducks" and reactionary to breaches and attacks. Whereas, this matter must anticipate all aspects of vulnerability from policy to training and awareness all the time. Salute.
Technology | Innovation | Leadership | #20 CTO World 100
10 年The weakest link is often your reseller/partner who you outsource your IT to. The same diligence and control you afford to your employee engagements may not be used by them. Many use daily contract staff and push push push to meet THEIR business objectives.
CTO at Klaatu IT Security Ltd
10 年Didier, I have to agree. The security industry is insular and looks to itself to solve problems. The real place to start with cybersecurity is in better procurement practices - particularly for embedded software, which is usually overlooked. Bringing fewer exploitable bugs into the business will reduce the number of attacks we have to defend against. Insisting on independent software test and verification before purchase is where cybersecurity should start.