According to recent reports from Symantec and Verizon, user mistakes were responsible for most of the successful cyberattacks that occurred last year. The Verizon report claims that more than two-thirds of the 290 electronic espionage cases it learned about in 2014 involved phishing; Symantec’s report found that phishing attacks are proving so successful that even sophisticated state-sponsored spies rely on it. And the FBI calls phishing the most vulnerable attack vector in cybersecurity.
Because IT security departments have made tremendous strides in building multiple technical layers to protect the network (such as privilege elevation, next-generation firewalls, and tight password policies), hackers have resorted to social engineering as a prized technique for prying information from enterprise users. Whole dark industries have been built around spoofing trusted sources, i.e., sending a fake message that people will click because they think it’s from someone or something they know.
Phishing is what compromised Target, Anthem, Home Depot and Sony—and it’s not just high-profile enterprises in the cross hairs. In April, a Massachusetts police department was a victim of ransomware (the police had no choice but to pay up).
The prevalence of phishing has led enterprises to embrace security awareness programs as a way to prevent social engineering.
What Is Security Awareness?
On the surface, security awareness (SA) is a somewhat amorphous concept. In a proverbial nutshell, it is the knowledge and attitude that members of an organization bring to the protection of their physical and informational assets. SA isn’t limited to software or datasets; without a strong sense of awareness, documents are left in conference rooms, smartphones lost on planes, and lobby doors held open for strangers without magnetic access cards.
Nobody wants their security breached—and that makes SA a business initiative, one that touches all aspects of the organization, including clients and vendors.
Who Is Qualified?
While security awareness officer is a full-time position, other jobs can absorb some formalized SA responsibilities. Such positions are ideal for trainers, help desk technicians, and anyone else with an IT or security background.
What Does an SA Officer Do?
The objective is to adjust an organization’s security-related behavior, via targeted messages that make employees think about their decisions throughout the day. While every corporate culture is unique, there are some consistencies in the security-awareness process. For example, an SA officer works with management on developing policies and best practices. (As management must hold a stake in the program’s success, it needs to be involved in planning and coordination.)
Anyone involved in security awareness must partner with second-tier sponsors for the project; these are usually the department managers. They must also build a security portal on the firm’s Intranet, in order to communicate with employees, and keep that portal up-to-date with blog posts, teaching materials, quizzes, and even games.
Your security-awareness professional also develops and communicates incident-escalation processes. Both employees and the firm’s help desk need to know what to do when they think they’ve been phished, lost a laptop, got a virus, or see anything generally suspicious.
Lastly, anyone in this role must track progress. It can be challenging to measure success, especially when the metrics aren’t always tangible; both empirical and anecdotal tracking are important.
What Skills Are Needed?
An SA officer should be able to:
- Communicate complex messages in a clear and concise form, while modifying the message to the various departments within the organization.
- Plan, manage and maintain a complex, organization-wide program over the longer term.
- Display a practical knowledge of different message-distribution techniques to ensure end-user communities understand and continually apply the required behavioral change necessary to reduce the “human factors” risk.
- Communicate with and coordinate the activities of others.
- Understand the concept of information risk and the different elements that make up that risk. In addition, have a basic understanding of the different concepts of information security.
As IT departments continue to harden the network against threats, the easiest way for hackers to penetrate an organization is through the employees. That makes security awareness more important than ever. Remember that SA is a business initiative and not an IT project; when pitching or applying for the position, make sure that the executive committee is firmly behind it, or the job won’t last long.
Image: Maksim Kabakou/Shutterstock.com