Identify Risks and Protect Your Organization
Learning Objectives
After completing this unit, you’ll be able to:
- Describe how security awareness specialists identify risks and training needs.
- Explain the types of awareness programs implemented by security awareness professionals.
Identify Risks and Training Needs
Did you know that ransomware is one of the most widespread and damaging forms of cyber attacks? This has affected small businesses, cities, and hospitals. Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. It usually works by encrypting the files on the affected computer, making them inaccessible. Most ransomware is delivered via email that appears to be legitimate, enticing users to click a link or download an attachment that delivers malicious software. It may also be delivered through a malicious website, or sent using social media messaging. The impact of ransomware can be devastating to an organization, and sadly, many office workers are unaware of the threat. Given that hackers rely on human error to deliver ransomware or send phishing emails to a user, cybersecurity awareness training is critical to keeping an organization secure.
When deciding what type of training to implement, security awareness specialists start by identifying the threats, vulnerabilities, and risks that are most relevant to their organization. In doing so, they establish a security awareness network with key stakeholders in the organization to make sure they understand risks and business objectives. Next, they take a look at the roles and functions in the organization to identify the knowledge, skills, and abilities needed to defend the company, paying special attention to what training privileged (administrative) users need. These steps are referenced in the Center for Internet Security Control 14.
The security awareness specialist also explores gaps by asking critical questions. What types of user behavior endangers the organization? Do users know how to spot a phishing email? What controls are in place to detect and prevent malicious insiders from doing damage? Security awareness specialists also consider the types of laws, regulations, and compliance requirements that apply to their organization. They make sure users are aware of their responsibilities as it relates to these requirements, and also align training with company security policies. They work with the policy team to make sure that policies are updated to comply with current regulations and the policies are clear to employees.
Implement Training and Awareness Initiatives
Security awareness specialists have a variety of tools at their disposal to train the workforce on how to defend the organization from social engineering, phishing, ransomware, malicious insiders, and other types of threats. The security awareness specialist plans, designs, develops, implements, and maintains a comprehensive awareness program. They create security awareness content for multiple channels, such as social media and intranet sites. They also disseminate technical communication to users to educate on evolving threats, new regulatory requirements, or changes to company policy. They create e-learning materials, such as online training courses, video content, podcasts, webinars, or discussion forums.
Training can be job-specific, or focused on hardening the workforce against specific threats that take advantage of weaknesses in human behavior. For example, job-specific training can include training Security Operations Center (SOC) analysts on using a new tool to spot anomalous activity in the network. Or specialists can develop training for application developers on how to sanitize their code to protect against injection vulnerabilities and help secure the Software Development Lifecycle (SDLC). Typically, they develop training on regulations that apply to an employee’s job, to help them understand their role in ensuring the organization is compliant. For example, providing an employee who implements authentication solutions for remote access, training on Payment Card Industry (PCI) data security standards by sharing the PCI Best Practices for Maintaining PCI DSS Compliance information.
Other types of training and awareness can be focused on increasing user awareness of specific threats, or testing organizational procedures through simulations. For example, security awareness specialists often implement training exercises to increase awareness of phishing. This can include educating users about how to recognize malicious emails, or how to secure their social media presence from social engineering. Many organizations also use simulated phishing emails to help ensure users remain vigilant against this threat and to evaluate the rate at which employees are falling for phishing emails. This helps inform what kind of remedial training is needed to change user behavior.
Another type of training includes tabletop exercises and simulations, which can be run with operational staff or with executives. These training sessions take a team through a simulation of a real-life scenario, such as a ransomware attack, to demonstrate how organizational response processes function. These sessions can also illustrate areas where gaps exist that can benefit from further policy/process development or training.
Companies can develop e-learning, phishing simulations, and table-top exercises in-house, or can outsource this function to an education and awareness vendor. In this case, the security awareness specialist owns and manages the relationships with the vendors and ensures they are meeting the company’s training objectives. How does the specialist ensure training is meeting its objectives? That’s the topic of the next unit on detecting risks and integrating your security awareness activities with incident response.
