What Is A Security Awareness Program

Posted on

Story Highlights. Cyber security awareness is no longer an option, it is a significant layer of security that every IT-enabled organization must have. Spending on information security products and services reached a value of $114 billion US dollars in 2018. The average total cost of a data breach in 2017 was $3.62 million. Cyber Security is everyone's responsibility.The Cyber Security Awareness Program Every Organization NeedsLack of cyber security awareness training and accountability tops the list of causes of information security breaches. According to, spending on information security products and services reached a value of $114 billion US dollars in 2018, with an increase of 12.4 percent from 2017. On the other hand, the average total cost of a data breach in 2017 was $3.62 million according to.

Program

And 2019 forecasts are not any better. When you dig deeper in the studies, you realize that a high percentage of data breaches surprisingly took place in organizations of high IT security budget. And while some attacks could be traced back to disgruntled workers, a great deal of other attacks are simply a result of actions done by naive and non-harmful employees that simply weren’t well informed.Over the past years, IT became the main enabler of almost every business.

And security has always been a major concern. Implementing a security awareness program has become a must for an organization, regardless of it’s size, industry, or location. Cyber Security Awareness Maturity Model Source: SANS InstituteAt CIATEC, is one of the main services provided. Our Security awareness program is a continuous cycle that goes around year. A well implemented security awareness program helps preventing a breach or at least mitigate the risks.

What Is A Security Awareness Program Template

In this article, we compiled lists of:.Top Reasons of Cyber Security Breaches. Reasons of Cyber Security Breaches 1- Uninformed EmployeesUninformed, naive and non-harmful employees lacking information security awareness and training tops the list of causes. Our experience taught us that technology alone cannot completely secure IT environments, there will always be the human factor involved, whether within IT department side or at end users side.

Unfortunately, human brain cannot be patched same as a computer! It can only be nourished by knowledge, and.It only takes one single uninformed employee who takes the bait of a phishing email to compromise organization’s cyber security.Hint: Deploy that goes around the year and keep it up-to-date with the latest threat trends, accompanied with. 2- Human ErrorsHuman errors of regular IT users are always a threat.

However, the bigger threat are the errors done by IT administrators! Lack of knowledge, sometimes lack of focus leads to configuration errors that leaves some doors open for hackers.Hint: Adapt a framework or a standard that organizes change, event, problem and incident management, such as ISO 27001, ISO 20000 or ITIL.

3- MalwareSuccessful malware attacks such as ransomware, viruses, worms, and trojans are always a threat to cyber security and a reason behind security breaches.Hint: Train your staff on how to deal with malware attacks and apply best practices. 4- Stolen DevicesLaptops and mobile devices that are sometimes stolen during commuting or traveling pose a significant risk that should be handled by risk management.Hint: Raising and applying mobile devices encryption. 5- Disgruntled workersDissatisfied employees and third-party contractors with bad intentions.Hint: Deploy proper employee termination, segregation of duties, and vendor management processes. 6- Lack of FundsLow cyber security budget is a problem on its own for some organizations. While other organizations fall in the trap of “budget maldistribution”, where most of the budget goes for sophisticated security software and hardware appliances while employees information security awareness and training are neglected; Big Mistake!Hint: If there is no way to increase cyber security budget, existing budget should at least be distributed properly.What will Security Awareness and Training add?

Cyber security awareness and training provides the following benefits: Benefits of Cyber Security Awareness 1- Hardening the Last Layer of DefenseEmployees are the last layer of defense, and in some case they are the first layer, depending on the nature of the attack. Yet, they are the weakest link in the cyber security chain, this has become a universal truth. A well implemented and maintained cyber security awareness program will insure hardening this link and empowering a stronger network. 2- Compliance RequirementAll major information security standards and frameworks such as ISO/IEC 27001 requires an to be in place. 3- Adapt with the Continuously Changing ThreatsThe complexity of threats and attacks is increasing every day. Cyber security units needs to keep up and more importantly, cyber security awareness units needs to keep all users informed about the latest threats and cyber attacks trends. 4- Increase EngagementDoes your organization have an information security handbook containing all your information security policies?

Is it updated and distributed to users on regular basis? If so, how many of them do actually read it, understand it and become familiar with its content?With awareness things are different. Running cyber security awareness campaigns all over the year and on various channels will create a culture of security within the organization and engage employees in information security practices. Cyber Security Awareness Topics. Importance of cyber security awareness topics varies from one organization to another. Each organization has its own priorities. Yet, it is always recommended to work holistically on covering all topics when implementing a cyber security awareness program.

The major topics that should be covered in an information security awareness program: Cyber Security Awareness Topics 1- Physical SecurityPhysical security is a sub-domain of information security that goes beyond IT to address issues related to entrance points, locked doors, drawers, cabinets, desks, as well as desktops, laptops and mobile devices security. Users should be aware and able to deal with physical security threats of all kinds. 2- Data SecurityCyber security is all about protecting information assets, right? Educating users on how to handle data security should be a major topic in any cyber security awareness program. 3- Print SecurityWhether in hard copies or in soft copies, information needs to be secured. Print security is one of the many topics address in information security awareness program.In addition to making users aware of concepts of secure printing, there are plenty of built-in and third-party printing solution that can be of great use in implementing secure printing policies.

4- Network and Wireless SecurityGiven the insecure nature of wireless networks, enterprises counts on employees awareness to better harden this area. An organization owned laptop or other mobile device, has at least 10 wireless networks SSID stored. SSID’s of office, home, airport, hotel, coffee shopetc. Sniffing can occur on any wireless network jeopardizing the organization information assets.

Hence, wireless network security awareness.On the other hand, with sophisticated wired network security solutions, organizations might reach a significant level of security. Yet, awareness is always needed to harden the weakest link. 5- Data DestructionSecurity doesn’t stop when you stop using a certain device.

If a device still got your data, security policies will still apply, even if the device is not used any more. And if the device is to be disposed, it must be disposed securely. Cyber security awareness programs should cover topics on how to get rid of old devices in a secure manner. 6- Password SecurityPassword security is one of the most challenging domains in cyber security awareness. A lot of resistance is found here, users hate to be forced to remember new passwords and have a difficulty creating new passwords that meet complexity requirements.Luckily, there is a solution: helps users get over this. 7- Phishing and Email SecurityPhishing attacks are getting serious. 9 out of 10 phishing attacks are now ransomware, and pseudo ransomware is a new trend.

Pseudo ransomware attacks are here to make users pay a ransome for data that is not even encrypted!Training on how to avoid phishing scams and what to do in the event of an attack is a high priority in cyber security awareness program. Cycle goes through four steps: Asses, Educate, Phish, Get results, and REPEAT. Phishing awareness, like any other cyber security awareness component, is a continuous cycle.For more info about phishing awareness: 8- MalwareUsers in any business industry, size, or even home users should have the ability to identify a malware attack when they see one.

Security Awareness Policy

It is also important that users identify the malware type (virus, trojan, worm, adware, spyware, ransomware). But what’s more important is to know how to act in the event of malware infection. A good cyber security awareness program should provide this know how. 9- Mobile Devices SecurityMobile devices, whether personal or corporate owned, holds information assets that must be protected.

Mobile devices security is a serious topic that should be addressed thoroughly in a corporate cyber security awareness program. 10- Browser SecurityTraining users on how to check URLs and ssl encrypted site (i.e., https), keeping browsers up-to-date, minimal plugin usage, and scan any downloaded files are basic browser security awareness material.Cyber Security is everyone’s responsibility.

Cyber Security Awareness Channels. Communicating the information is as important as the information itself. What fits one organization, may not necessarily fit another. Communicating cyber security awareness material to the right audience and using the right channels is what an awareness program is all about. Here is a list of the most commonly used cyber security awareness channels. Educational VideosVideos are one of the most effective learning material. CIATEC provides cyber security awareness videos hosted on CIATEC’s servers or on client’s portal.

Like all cyber security awareness material, videos are continuously updated to keep up with the latest cyber security awareness trends as well as latest animation trends. Billboard or Roll-up BannersA roll-up banner in a meeting room, in the lobby, or any other public space will help raising cyber security awareness without an effort. Screen PostersSame as roll-up banners, displaying cyber security awareness material on screens if available in public places will help raising cyber security awareness by targeting all staff.

Email Posters and NewslettersEmail posters and newsletter is another channel, that can become handy when trying to address specific topics in cyber security awareness program. Especially, when presented as an element of a bigger campaign. Gaming materialThis has also proved to be one of the most effective techniques to pass the awareness message in atmosphere of fun and entertainment. Whether a simple cross-words puzzle or matching gaming, or much more sophisticated information security gaming material, it all helps to easily relay the information to users.

Cyber Security Awareness Training

Security awareness program ideas

Educational MagazineEducational magazines, whether as e-magazine, email newsletter or a paperback. When published and distributed on regular basis it will keep users informed of the latest security trends and how to avoid breaches. Information Security Courses, Workshops, and QuizzesOld fashion class room training courses, and online courses are always a good channel to reach out to employees. In training, it is advised to group employees based on trades or departments. This way the trainer can address specific security topic that may be associated with the audience trade.Training should also be followed by a quiz to measure cyber security awareness and training effectiveness. Phishing SimulationsProven to be one of the most effective ways to identify points of weakness against phishing attacks., as part of overall cyber security awareness program, use hundreds of templates and provides accurate reports identifying. Users who opened the simulation email.

Security

Users who clicked on links. Users who submitted sensitive data.This way, information security team can identify and educate employees accordingly. Contact us to start a phishing awareness campaign. Dedicated Information Security Portal and Mobile AppA dedicated information security web portal will serve as a reference for all users in all information security matters within the organization and will help keeping users well informed. It may contain the below elements.