Get to Know Security Awareness

Learning Objectives

After completing this unit, you’ll be able to:

• Define security awareness.
  
• Describe the importance of having a security awareness program.
  

What Is Security Awareness?

No matter where you work, trust, security, and peace of mind of both employees and customers is likely an important value. A critical component of your organization being able to maintain trust is that all members actively participate in a cybersecurity program as part of a daily routine. This means understanding cybersecurity procedures and knowing when and how to reach out for assistance. 

Organizations implement security awareness programs to promote a culture of cybersecurity within the organization. The goal is to train users on potential threats and increase awareness of  situations that may put data, systems, or networks at risk. Organizations use security awareness programs to instill a sense of responsibility and purpose in employees who handle and manage sensitive information. Employees need to realize they are one of the strongest links to keeping organizations secure in the way they behave day to day and in the decisions they make.

One of the goals of a security awareness program is to reduce an organization’s risk. The more aware employees are about potential threats and how to mitigate them, the less likely the organization will be vulnerable to attack. Security awareness specialists strive to empower users to take personal responsibility for protecting the organization. They also enforce the policies and procedures the organization has in place to protect its data by providing training and measuring compliance.

The Importance of Security Awareness

When employees are aware of and care about security, they work to promote strong cybersecurity practices around them. This human element of cybersecurity is particularly crucial to securing data, since attackers often target users in an organization’s security chain. All the technical controls in the world—intrusion detection systems, firewalls, data loss prevention, and so on—won’t be enough to protect data if users don’t understand policies and procedures, how to use tools, and what to do in the case of a breach. 

Here are a few common attack methods used to exploit the human element of the security chain.

• Malware is malicious software that tries to damage devices, steal data, or otherwise compromise computer systems by tricking users into downloading viruses, trojans, and spyware onto their computer.
  
• Phishing is a type of attack in which the malicious actor sends emails pretending to be from reputable companies or individuals in order to induce a user to reveal personal information, such as a username and password.
  
• Social engineering is a tactic attackers use to manipulate individuals to take a desired action. Social engineering can be used to enhance the effect of malware or phishing. For example, an attacker can use social media to identify the name of an employee of a company who works in a security role. The attacker can then use further social engineering to find out the school the employee’s daughter attends, and send an email with a PDF attached that spoofs the school’s email address. The PDF can include information about emergency weather closures in the area, creating a sense of urgency with the victim. The attacker can embed malware in the PDF, so that when the employee opens it, a malicious file downloads and executes. The use of personal information about the employee through social engineering makes it more likely the attack is successful.
  
• Insider threat occurs when an employee of the company takes action to inappropriately access, modify, or delete data. This can happen for financial gain, espionage, or because the employee is disgruntled, perhaps because they did not receive a promotion, or found out about upcoming layoffs. Special tools are necessary to track and monitor potential insider threats. Other employees are also key to reporting suspicious activity. There is also unintended insider threat, which refers to employees being unaware and making mistakes that place the organization at risk. For example, sending an email with proprietary information to the wrong person. In our current climate with many distractions and people moving fast, there are bound to be mistakes.
  
• Data loss occurs when data is destroyed accidentally or on purpose, shared with unauthorized parties, or used for an unauthorized purpose. Data loss can occur if an employee accidentally or purposely modifies a customer’s account information. Another example is if an employee downloads information onto an external USB and loses it. Data loss can also occur if an employee accidentally emails sensitive data, such as a customer’s social security number, to a third party. Proper training on handling sensitive data, as well as policies and technical controls to prevent data loss are integral to improving awareness of this issue.
  

Security awareness strengthens an organization’s ability to protect itself against exploits of human weakness and error. Security policies and procedures serve as building blocks of a security awareness program by documenting how users are expected to keep data safe, who is responsible for what tasks, and what to do in case of an emergency. Once these building blocks are in place, it’s a good idea to implement a security awareness program and include user awareness training. With security awareness prioritized, organizations can then focus on implementing security measures such as patch management, log aggregation, and antivirus protection. When these controls are in place and users understand how to use them, security awareness programs establish and collect key performance metrics. These metrics help better understand compliance with policies and procedures and whether the awareness program is achieving its goals. 

Resources

• External Site: World Economic Forum (WEF): What happens to an organization when it has no security culture?
  
• Trailhead: Cybersecurity Principles for Leaders