Putting The Awareness In Security Awareness
CIOReview
CIOREVIEW >> Law Enforcement >>

Putting The Awareness In Security Awareness

Paul Jones, CIO, City of West Palm Beach
Paul Jones, CIO, City of West Palm Beach

Paul Jones, CIO, City of West Palm Beach

It is important to build an understanding of cyber security that encompasses all aspects of an organization. It can be very easy to fall into assumptions that users should already know about the pitfalls and risks covered by cyber security,since they are second nature in our discipline, but we need to question these assumptions as most users are focused on their fields and not on the cyber threats we are familiar with.

If we take a minute and think about how new the connected IT world is, especially when compared to most other departments in an organization, the realization of its newness becomes apparent. For example, if we ask, “How long has there been a Finance Department, Operations Department, or Marketing Department in an organization?” the answer is, “As long as there have been organizations.” When contrasted to the current IT environment, which has been in place for approximately 40 years,the differences become very noticeable. Many of the coworkers we support did not grow up in this connected world,so expecting them to understand the nuances of it is not realistic.

A way to relate this to our user’s is by referring to what can be called a “Bubble of Trust.” 40 years ago, if someone was going to be the victim of a crime,they had to be in the wrong place at the wrong time, or in the majority of cases some physical activity had to occur. People found it easier to shield themselves from crime because relationships and activities were built around people and environments they trusted. People created a “Bubble of Trust” and felt safe within it. Today, whenever someone goes online,it is imperative that he or she “pops” that“Bubble of Trust” and realizes nothing can be trusted.

An example that is easy to relatable in security awareness is the analogy of locking one’s car doors. We lock our car doors to safeguard both what is in our car as well as the car itself. But, more importantly,we do so because it is a habit that has been passed down from generation to generation, and we were taught the consequences of leaving the car doors unlocked. Someone’s car might have been stolen, or a smaller item such as a stereo, a purse, or a briefcase was stolen. Since cyber security has not been around long, the basic knowledge has not been passed down, and many people do not understand the risks and consequences of online activities.

  ​

By making the training real and personal, we can make a
positive impact by relating the same protection is required for personal and
the business

   

 

Additionally,It can be pointed out when criminals head into a neighborhood to break into cars,they typically first check for unlocked cars because they are easy targets. It takes very little effort trying to open an unlocked car door. The same is true regarding the Internet. The bad guys are looking for the equivalent of unlocked cars and easy targets. These relate to people lacking security awareness fundamentals such as good password management practices or understanding social engineering attacks such as Phishing. Security awareness fundamentals teaches people the Internet equivalent of locking their car.

Another important factor in providing impactful security awareness training is making it relate it on a personal level to the audience. In doing this, we can leverage current attacks to the organization as well as personal losses. For example, a good question to ask is, “How would you like to come in to work tomorrow and not be able to access any technical resources?” followed up by a list of local or well-known national organizations that have been victims of ransomware attacks. To make the question more personal, we can state, “How would you like to be the cause of this situation? Most of the recent attacks have been caused by people just like you that clicked on something they shouldn’t have or gave away their passwords.” Additionally, we need to tell many stories about individuals losing money, individuals losing their identities, and reveal the true cost in time and money it takes to recover from these. By making the training real and personal, we can make a positive impact by relating the same protection is required for personal and the business.

The biggest mistake we make is assuming everyone knows the dangers of the new world we live in. The more security awareness training sessions completed the easier it is to realize this is just not true. We cannot say our users should know; we must make sure they do know!

Read Also

Digital Transformation and technological advancements in a NEO Bank

Matthias Fengler, Head of Finance & Controlling, N26

Digitising your businesses DNA

Fraser Collins, Group Head of Commercial Finance, International Personal Finance (IPF)

The Bank's Experience: How a Company's Use of Fintech Can Accelerate...

Mārtiņš Bērziņš, Head of Digital Customer Experience, Deputy Business Development, Citadele Bank

Fintech solutions for the exploding savings market: How banks can...

Paul Knodel, CEO and Managing Director, Raisin US Inc.

Looking to Finance a Tech Startup? Your Timing May Be Just Right

Kurt Nichols, Managing Director, Portfolio Manager, CIBC Innovation Banking

A Proven Use Case of EDI at Malouf

Nate Obray, Director of Software Services, Malouf, United States Of America.