Information security is not just a problem for IT geeks. It has to be everyone’s responsibility. Every employee in your company needs information security training in order to be aware of security issues and to think rationally about risks.
Everyone should know better than to click suspicious links or open suspect file attachments. Nobody should ever be sending sensitive data unencrypted over the public internet, or logging into corporate systems over public wi-fi.
All Employees Should Be Concerned About InfoSec
You might be agreeing with me and shrugging your shoulders at the same time. Sure, we need to be more aware… but we’ve never had a problem so we’re not really worried. Stuff like that only happens to big companies. Besides, that’s why we have anti-virus, right?
Folks, plausible deniability is not an InfoSec strategy. With spear-phishing, social engineering, malvertising and all manner of fraud and malware on the rise, your employees are the primary target for many—if not most—attacks. How long before somebody takes the bait?
People need to be trained, sure. But beyond that, they need to be concerned. They need to “get” the risks and recognize that it’s part of their job to deal with them. InfoSec professionals like to talk about “shrinking the attack surface,” but we also need to broaden the defense team.
Integrating Information Security Training Into Your Business
InfoSec is an ongoing battle and everyone in the organization is on the front lines every day. It’s great to have InfoSec policies and procedures, but then you have to live up to them. It’s not one-and-done. Learn from what happened yesterday and apply it to tomorrow.
“Tone from the top” can really work for you or against you, in terms of sending the right message. At one company I worked with, the CEO didn’t want to use passwords. His rationale was that 1) he couldn’t remember them, and 2) his executive assistant was always accessing his accounts anyhow so what difference did it make? Contrast that with the CSO of MasterCard, who makes top-down security awareness a key corporate value.
Another way to look at it is: how do you protect the perimeter? With trends like mobile devices, remote access, BYOD, social media and Internet of Things (IoT), a company’s “perimeter” has become so vast and permeable that it almost doesn’t exist per se anymore.
Your corporate perimeter has become the device each employee is using at the time—and if that’s not secure and protected, what good is a firewall and a bunch of security cameras?
How do you protect mobile devices and other endpoints? That goes back to policies and procedures, and making sure we’re all living up to them. If employees insist on clinging to bad habits like using their cat’s name as a password for every system they access, these vulnerabilities will eventually be exploited.
Professional Information Security Training
If you’re concerned about your company’s level of awareness and commitment to information security, security awareness education can help.
To find out more about what a simple, affordable and effective information security training program can look like for your business, contact Pivot Point Security.
For more security awareness information:
- This excellent slide show from ITBusinessEdge.com on “Five Reasons Why Information Security Is Everyone’s Job”
- Information Security Begins at Home
- What’s the Status of Your InfoSec Awareness Program?
Phishing emails are tricky. Based on our Cyber Security Awareness Taining material, the 10 Tips for Detecting Phishing Emails infographic provides a cheatsheet of what to look for in unfamiliar emails.