Security For All Begins With Security Awareness Training
October is Cybersecurity Awareness Month. This 2021, the theme is 'Do Your Part #BeCyberSmart' as it aims to empower individuals and organisations to own their role in protecting their part of cyber space.
According to the data from The SANS 2021 Security Awareness Report, over 75% of security awareness professionals spend less than half their time on security awareness, implying awareness may not be comprehensive. Despite this, training and education continue to prove their importance as the recently published 2021 Microsoft Digital Defense Report revealed that there is a 50% year-over-year reduction in employee susceptibility to phishing attacks after simulation training.
Strengthening our Collective Digital and Security Ecosystem Together
Beyond the notion of being in compliance with various security awareness requirements like COBIT, GDPR, ISO 27001, as the world turned remote and hybrid work became the norm, anything less than comprehensive security will leave an organisation vulnerable. As such, Alyne will be sharing guidance on how we conduct cyber security awareness training for employees to strengthen our collective digital ecosystem. This is particularly important as significant events – such as the coronavirus pandemic and furthermore with the acquisition of Alyne by Mitratech – have shown heightened phishing attempts and the need for cyber awareness across our business.
How Did the Coronavirus Pandemic Affect Security Awareness?
As we emerge into the post-pandemic times, many organisations have adopted the ‘Virtual First’ model. However, when organisations were first settling on a working model, many organisations scrambled to hunt for different forms of communication, in search of the most secure and efficient way of communication.
‘Virtual First’ model and hybrid working could be the future of work. However, this approach tends to create different employee experiences and the emergence of new risks. This includes a non-secured physical home environment, more types of devices, or residential internet connections with consumer-level SLAs only.
How Did the Acquisition of Alyne Affect Security Awareness?
Being cast under the spotlight of news certainly triggered phishing mails from threat actors, who see opportunity in a new environment where there are lots of new people and names, where not everyone is familiar with each other. Coupled this with more email communications, especially outside of one's own organisation, it makes verification challenging and hard to detect as it would have then created a threat to security that is replicated by other cyber criminals.
Five Practices that Alyne Adopts
1. Know What You Have and What You Do
Here at Alyne, we clearly outline and document the kind of data that we store and the processes we use. It is important to understand what type of data and processes you have – and “where” they are.
2. Assign Ownership
It is always important to practice accountability as failures happen especially in places where no one feels responsible.
3. Keep Sensitive Data Confidential
Alyne always ensures that sensitive data is stored in a secured manner that ensures its confidentiality. This includes data such as:
- Customer documents and risk data
- Personally identifiable information
- Sensitive Alyne internal documents
4. Traceability of Changes for Data Integrity
Data integrity may be compromised through human error, transfer, hacking, and other cyber threats. Having traceability gives Alyne and other organisations the ability to plan for business continuity as they inspect and verify the documented recorded identification.
5. Avoid Distractions or Obstacles for People’s Work and General Operations
In a world where we consistently face distraction and interruption from push notifications and shrinking office space, it is important to optimise the operation process to minimise hiccups and security gaps.
Success Factors of a Security Awareness Training Program
While implementing security awareness programs for the employees, security professionals should always bear in mind that the core learning goal is that everyone has a role in information security and it’s not just the responsibility of the “security person/department”.
With this, we have identified 4 properties that are usually present in organisations that are considered to be highly secured:
- Make it relevant for individual participants’ and teams’ context
- Make it as interactive as possible - Don't only dry lecture style
- Include advice for personal information security and how it relates to organisational information security
- Focus on simple core messages and don't overload with too many (technical) details not relevant for a particular audience