Successful Cyber Security Awareness Program Elements
Hardening the "Human" Security Layer
- Cyber security awareness is no longer an option, it is a significant layer of security that every IT-enabled organization must have.
- Spending on information security products and services reached a value of $114 billion US dollars in 2018.
- The average total cost of a data breach in 2017 was $3.62 million.
- Cyber Security is everyone's responsibility.
The Cyber Security Awareness Program Every Organization Needs
Lack of cyber security awareness training and accountability tops the list of causes of information security breaches. According to Gartner, spending on information security products and services reached a value of $114 billion US dollars in 2018, with an increase of 12.4 percent from 2017. On the other hand, the average total cost of a data breach in 2017 was $3.62 million according to IBM and Ponemon Institute. And 2019 forecasts are not any better. When you dig deeper in the studies, you realize that a high percentage of data breaches surprisingly took place in organizations of high IT security budget. And while some attacks could be traced back to disgruntled workers, a great deal of other attacks are simply a result of actions done by naive and non-harmful employees that simply weren’t well informed.
Over the past years, IT became the main enabler of almost every business. And security has always been a major concern. Implementing a security awareness program has become a must for an organization, regardless of it’s size, industry, or location.
At CIATEC, information security awareness is one of the main services provided. Our Security awareness program is a continuous cycle that goes around year. A well implemented security awareness program helps preventing a breach or at least mitigate the risks. In this article, we compiled lists of:- Main causes of Cyber Security Breaches
- Importance of Cyber Security Awareness and Training
- Cyber Security Awareness Topics
- Cyber Security Awareness Channels
Top Reasons of Cyber Security Breaches
1- Uninformed Employees
Uninformed, naive and non-harmful employees lacking information security awareness and training tops the list of causes. Our experience taught us that technology alone cannot completely secure IT environments, there will always be the human factor involved, whether within IT department side or at end users side. Unfortunately, human brain cannot be patched same as a computer! It can only be nourished by knowledge, training and awareness material.
It only takes one single uninformed employee who takes the bait of a phishing email to compromise organization’s cyber security.
Hint: Deploy Information Security Awareness Program that goes around the year and keep it up-to-date with the latest threat trends, accompanied with phishing simulation solution.
2- Human Errors
Human errors of regular IT users are always a threat. However, the bigger threat are the errors done by IT administrators! Lack of knowledge, sometimes lack of focus leads to configuration errors that leaves some doors open for hackers.
Hint: Adapt a framework or a standard that organizes change, event, problem and incident management, such as ISO 27001, ISO 20000 or ITIL.
3- Malware
Successful malware attacks such as ransomware, viruses, worms, and trojans are always a threat to cyber security and a reason behind security breaches.
Hint: Train your staff on how to deal with malware attacks and apply endpoint security best practices.
4- Stolen Devices
Laptops and mobile devices that are sometimes stolen during commuting or traveling pose a significant risk that should be handled by risk management.
Hint: Raising awareness and applying mobile devices encryption.
5- Disgruntled workers
Dissatisfied employees and third-party contractors with bad intentions.
Hint: Deploy proper employee termination, segregation of duties, and vendor management processes.
6- Lack of Funds
Low cyber security budget is a problem on its own for some organizations. While other organizations fall in the trap of “budget maldistribution”, where most of the budget goes for sophisticated security software and hardware appliances while employees information security awareness and training are neglected; Big Mistake!
Hint: If there is no way to increase cyber security budget, existing budget should at least be distributed properly.
What will Security Awareness and Training add?
Cyber security awareness and training provides the following benefits:
1- Hardening the Last Layer of Defense
Employees are the last layer of defense, and in some case they are the first layer, depending on the nature of the attack. Yet, they are the weakest link in the cyber security chain, this has become a universal truth. A well implemented and maintained cyber security awareness program will insure hardening this link and empowering a stronger network.
2- Compliance Requirement
All major information security standards and frameworks such as ISO/IEC 27001 requires an information security awareness program to be in place.
3- Adapt with the Continuously Changing Threats
The complexity of threats and attacks is increasing every day. Cyber security units needs to keep up and more importantly, cyber security awareness units needs to keep all users informed about the latest threats and cyber attacks trends.
4- Increase Engagement
Does your organization have an information security handbook containing all your information security policies? Is it updated and distributed to users on regular basis? If so, how many of them do actually read it, understand it and become familiar with its content?
With awareness things are different. Running cyber security awareness campaigns all over the year and on various channels will create a culture of security within the organization and engage employees in information security practices.
Cyber Security Awareness Topics
Importance of cyber security awareness topics varies from one organization to another. Each organization has its own priorities. Yet, it is always recommended to work holistically on covering all topics when implementing a cyber security awareness program. The major topics that should be covered in an information security awareness program:
1- Physical Security
Physical security is a sub-domain of information security that goes beyond IT to address issues related to entrance points, locked doors, drawers, cabinets, desks, as well as desktops, laptops and mobile devices security. Users should be aware and able to deal with physical security threats of all kinds.
2- Data Security
Cyber security is all about protecting information assets, right? Educating users on how to handle data security should be a major topic in any cyber security awareness program.
3- Print Security
Whether in hard copies or in soft copies, information needs to be secured. Print security is one of the many topics address in information security awareness program.
In addition to making users aware of concepts of secure printing, there are plenty of built-in and third-party printing solution that can be of great use in implementing secure printing policies.
4- Network and Wireless Security
Given the insecure nature of wireless networks, enterprises counts on employees awareness to better harden this area. An organization owned laptop or other mobile device, has at least 10 wireless networks SSID stored. SSID’s of office, home, airport, hotel, coffee shop…etc. Sniffing can occur on any wireless network jeopardizing the organization information assets. Hence, wireless network security awareness.
On the other hand, with sophisticated wired network security solutions, organizations might reach a significant level of security. Yet, awareness is always needed to harden the weakest link.
5- Data Destruction
Security doesn’t stop when you stop using a certain device. If a device still got your data, security policies will still apply, even if the device is not used any more. And if the device is to be disposed, it must be disposed securely. Cyber security awareness programs should cover topics on how to get rid of old devices in a secure manner.
6- Password Security
Password security is one of the most challenging domains in cyber security awareness. A lot of resistance is found here, users hate to be forced to remember new passwords and have a difficulty creating new passwords that meet complexity requirements.
Luckily, there is a solution: CIATEC’s information security awareness program helps users get over this.
7- Phishing and Email Security
Phishing attacks are getting serious. 9 out of 10 phishing attacks are now ransomware, and pseudo ransomware is a new trend. Pseudo ransomware attacks are here to make users pay a ransome for data that is not even encrypted!
Training on how to avoid phishing scams and what to do in the event of an attack is a high priority in cyber security awareness program. Phishing awareness and training cycle goes through four steps: Asses, Educate, Phish, Get results, and REPEAT. Phishing awareness, like any other cyber security awareness component, is a continuous cycle.
For more info about phishing awareness: ciatec.com/phishing
8- Malware
Users in any business industry, size, or even home users should have the ability to identify a malware attack when they see one. It is also important that users identify the malware type (virus, trojan, worm, adware, spyware, ransomware…). But what’s more important is to know how to act in the event of malware infection. A good cyber security awareness program should provide this know how.
9- Mobile Devices Security
Mobile devices, whether personal or corporate owned, holds information assets that must be protected. Mobile devices security is a serious topic that should be addressed thoroughly in a corporate cyber security awareness program.
10- Browser Security
Training users on how to check URLs and ssl encrypted site (i.e.,https), keeping browsers up-to-date, minimal plugin usage, and scan any downloaded files are basic browser security awareness material.
Cyber Security is everyone’s responsibility.
Cyber Security Awareness Channels
Communicating the information is as important as the information itself. What fits one organization, may not necessarily fit another. Communicating cyber security awareness material to the right audience and using the right channels is what an awareness program is all about. Here is a list of the most commonly used cyber security awareness channels.
Educational Videos
Videos are one of the most effective learning material. CIATEC provides cyber security awareness videos hosted on CIATEC’s servers or on client’s portal. Like all cyber security awareness material, videos are continuously updated to keep up with the latest cyber security awareness trends as well as latest animation trends.
Billboard or Roll-up Banners
A roll-up banner in a meeting room, in the lobby, or any other public space will help raising cyber security awareness without an effort.
Screen Posters
Same as roll-up banners, displaying cyber security awareness material on screens if available in public places will help raising cyber security awareness by targeting all staff.
Email Posters and Newsletters
Email posters and newsletter is another channel, that can become handy when trying to address specific topics in cyber security awareness program. Especially, when presented as an element of a bigger campaign.
Gaming material
This has also proved to be one of the most effective techniques to pass the awareness message in atmosphere of fun and entertainment. Whether a simple cross-words puzzle or matching gaming, or much more sophisticated information security gaming material, it all helps to easily relay the information to users.
Educational Magazine
Educational magazines, whether as e-magazine, email newsletter or a paperback. When published and distributed on regular basis it will keep users informed of the latest security trends and how to avoid breaches.
Information Security Courses, Workshops, and Quizzes
Old fashion class room training courses, and online courses are always a good channel to reach out to employees. In training, it is advised to group employees based on trades or departments. This way the trainer can address specific security topic that may be associated with the audience trade.
Training should also be followed by a quiz to measure cyber security awareness and training effectiveness.
Phishing Simulations
Proven to be one of the most effective ways to identify points of weakness against phishing attacks. Phishing simulations awareness campaigns, as part of overall cyber security awareness program, use hundreds of templates and provides accurate reports identifying:
- Users who opened the simulation email.
- Users who clicked on links.
- Users who submitted sensitive data.
This way, information security team can identify and educate employees accordingly. Contact us here to start a phishing awareness campaign.
Dedicated Information Security Portal and Mobile App
A dedicated information security web portal will serve as a reference for all users in all information security matters within the organization and will help keeping users well informed. It may contain the below elements:
- Information security policies.
- Latest news about cyber security threats.
- Educational posts.
- Interactive educational videos with questions and answers.
- Educational games and quizzes.
- Information security courses.
A dedicated cyber security awareness mobile app is even better. It will allow information security units to reach users on the go.
Hint: By combining our web and mobile enablement skills along with security awareness services, CIATEC can build your information security web portal and mobile app in no time!
Conclusion
Cyber security awareness is no longer an option. It is a significant layer of security that every IT-enabled organization must have.
CIATEC‘s cyber security awareness program is designed to help organizations of various sizes and industries to minimize the risk of data breaches. Contact us today to start building your own program.
Check Awareness Packages Awareness Material Samples Phishing Awareness Solution