What does cyber security mean to you? Anti-virus software? Annoying firewalls? Lots of silly rules from the IT department? If that rings true, you may lack cyber security awareness.
Before I try to define "cyber security awareness," I need to admit that it is a bit of a misnomer. Can you imagine talking about "disaster awareness"? ("Oh, the building might flood or burn down. The first comes from water and the second from fire.") Or maybe you are aware that you shouldn't eat that candy bar instead of having a healthy lunch, even though you do it anyway. The problem with "cyber security awareness" is that most people really mean something along the lines of "knowing what to do and doing it." Being aware of spilled food on the floor is not the same as wiping it up, but you cannot wipe it up if you are not aware of it.
So I like to say that "security awareness" (and I am using that broader term intentionally) involves making people aware enough to act - it requires creating a security mindset, not just a set of rules. At its core, it is not just being aware of threats, but understanding the threats and their impact on the organization and its people, including themselves. With that understanding must come the appropriate action.
There is a popular security awareness story about thumb drives, the small USB flash drives. A security researcher peppers a parking lot with some in order to see what will happen. Some are picked up by employees, and in one test, over half were inserted into ports on company computers. Instead of just reporting back to the researchers as these did, they could have contained serious malware that would have hurt the company. In fact, this has been used as a genuine attack vector.
The usual lesson is "never stick unknown devices into your computer." The real issue, though, was those who plugged in the drives lacked the mindset that would tell them that the drives could be a threat. The correct response to finding the thumb drives should have been to turn them in to the security folks in case they were either genuinely lost. The security pros could have made the proper decision.
Most people will not develop a security mindset on their own; they need some kind of education. This is often called "Cyber Security Awareness Training" or "Security Awareness Training". I personally prefer the latter as it can then cover more aspects of physical security which are sometimes left out if the focus is on cyber security.
Most security awareness training I've seen is somewhat focused on threats - what the bad guys can do. That is important, but it is not enough. Here are four characteristics that are essential for good security awareness training:
- Focus on developing a security mindset. That includes ensuring people understand the impact to their organization, themselves, and other employees if a threat is realized. One simple example is that if IT has to spend time (and money) cleaning up a virus infection, that money may not be available for raises or bonuses. It is critical that each and every employee see the WIIFM (what's in it for me)!
- Make participants aware of the threats, but make it clear that there will be new ones that come along. That requires constant awareness and vigilance.
- Empower employees to act. "If you see something, say something" is an excellent start, but it is more. If a door that should be locked is not locked, in addition to saying something, employees must be empowered to lock the door.
- It must not be "one and done". Hearing about risks and what to do is not a one-time If it were, we would not have fire drills.
Learning Tree has courses in the cyber security area to help people gain the necessary skills.
Cyber security awareness is an attitude. It is, perhaps, a specialized part of situational awareness. It means being aware and it means acting. It's sort of like "street smarts;" it isn't an event, it is a lifestyle.
Cyber Security Training
AUTHOR: John McDermott