Putting The Awareness In Security Awareness
It is important to build an understanding of cyber security that encompasses all aspects of an organization. It can be very easy to fall into assumptions that users should already know about the pitfalls and risks covered by cyber security,since they are second nature in our discipline, but we need to question these assumptions as most users are focused on their fields and not on the cyber threats we are familiar with.
If we take a minute and think about how new the connected IT world is, especially when compared to most other departments in an organization, the realization of its newness becomes apparent. For example, if we ask, “How long has there been a Finance Department, Operations Department, or Marketing Department in an organization?” the answer is, “As long as there have been organizations.” When contrasted to the current IT environment, which has been in place for approximately 40 years,the differences become very noticeable. Many of the coworkers we support did not grow up in this connected world,so expecting them to understand the nuances of it is not realistic.
A way to relate this to our user’s is by referring to what can be called a “Bubble of Trust.” 40 years ago, if someone was going to be the victim of a crime,they had to be in the wrong place at the wrong time, or in the majority of cases some physical activity had to occur. People found it easier to shield themselves from crime because relationships and activities were built around people and environments they trusted. People created a “Bubble of Trust” and felt safe within it. Today, whenever someone goes online,it is imperative that he or she “pops” that“Bubble of Trust” and realizes nothing can be trusted.
An example that is easy to relatable in security awareness is the analogy of locking one’s car doors. We lock our car doors to safeguard both what is in our car as well as the car itself. But, more importantly,we do so because it is a habit that has been passed down from generation to generation, and we were taught the consequences of leaving the car doors unlocked. Someone’s car might have been stolen, or a smaller item such as a stereo, a purse, or a briefcase was stolen. Since cyber security has not been around long, the basic knowledge has not been passed down, and many people do not understand the risks and consequences of online activities.
Additionally,It can be pointed out when criminals head into a neighborhood to break into cars,they typically first check for unlocked cars because they are easy targets. It takes very little effort trying to open an unlocked car door. The same is true regarding the Internet. The bad guys are looking for the equivalent of unlocked cars and easy targets. These relate to people lacking security awareness fundamentals such as good password management practices or understanding social engineering attacks such as Phishing. Security awareness fundamentals teaches people the Internet equivalent of locking their car.
Another important factor in providing impactful security awareness training is making it relate it on a personal level to the audience. In doing this, we can leverage current attacks to the organization as well as personal losses. For example, a good question to ask is, “How would you like to come in to work tomorrow and not be able to access any technical resources?” followed up by a list of local or well-known national organizations that have been victims of ransomware attacks. To make the question more personal, we can state, “How would you like to be the cause of this situation? Most of the recent attacks have been caused by people just like you that clicked on something they shouldn’t have or gave away their passwords.” Additionally, we need to tell many stories about individuals losing money, individuals losing their identities, and reveal the true cost in time and money it takes to recover from these. By making the training real and personal, we can make a positive impact by relating the same protection is required for personal and the business.
The biggest mistake we make is assuming everyone knows the dangers of the new world we live in. The more security awareness training sessions completed the easier it is to realize this is just not true. We cannot say our users should know; we must make sure they do know!