Security Awareness TrainingSecurity Operations Center(SOC) 

Purpose

Establishing and maintaining information-security awareness through a security awareness program is vital to an organization’s progress and success. A robust and properly implemented security awareness program assists the organization with the education, monitoring, and ongoing maintenance of security awareness within the organizatsecuion. It also helps with quickly addressing the ever changing data security threat environment and reinforces the organization’s business culture.

Introduction to Information Security

The use of technology is an inescapable component of modern business operations. From manufacturing to marketing, sales to finance, and every aspect of communications therein, technology plays an ever-increasing role.

The risks associated with technology are well known. A recent report in the Atlantic found that 92% of IT firms have reported attacks on their clients’ systems. The dangers of leaving computers unprotected and their respective systems and data vulnerable, have cost companies millions of pounds per year. Therefore the impetus is on proactive management teams to guide their staff, through policies and training, on the critical importance of cyber security.

Consider the 2017 Equifax breach, in which, over a period of several months, millions of consumers were impacted. The company was initially warned that they needed to patch a software vulnerability, but their IT team did not follow the required protocol. They ran scans that should have detected the vulnerability but didn’t. Believing they were safe, business went on as usual.

Then on May 13, hackers gained access to the Equifax servers, reportedly via one member of staff. The hackers then instantly had information, including: social security numbers, private financial data, and addresses for over 143 million people. The attack would only grow from that point on, demonstrating how a seemingly small security flaw can become one of the largest and perhaps costliest attacks in history.

There are thousands of stories of various scale, from businesses across the globe. Far and wide, cyber attacks and data breaches have increased in frequency and extent, and one has only to look at the aftermath of many of these disasters, to be prompted into action.

For example, here is 2018, 5 years after the Target superstore data breach; the company is still dealing with the ramifications of their security incident. Not only has Target spent upwards of 140 million pounds1 on their cleanup efforts and legal fines, but their settlement includes a requirement to strengthen their security program: including hiring a Chief Information Security Officer, improving security processes, and establishing a security training program for their staff.


Understanding the cyber security landscape

Following the best practices:

Organizational Security Awareness: A successful security awareness program within an organization may include assembling a security awareness team, role-based security awareness, metrics, appropriate training content, and communication of security awareness within the organization.

Security Awareness Content: A critical aspect of training is the determination of the type of content. Determining the different roles within an organization is the first step to developing the appropriate type of content and will also help determine the information that should be included in the training.

Security Awareness Training Checklist: Establishing a checklist may help an organization when developing, monitoring, and/or maintaining a security awareness training program.

Importance of Security Awareness:

One of the biggest risks to an organization’s information security is often not a weakness in the technology control environment. Rather it is the action or inaction by employees and other personnel that can lead to security incidents, for example, through disclosure of information that could be used in a social engineering attack, not reporting observed unusual activity, accessing sensitive information unrelated to the user’s role without following the proper procedures, and so on. It is therefore vital that organizations have a security awareness program in place to ensure employees are aware of the importance of protecting sensitive information, what they should do to handle information securely, and the risks of mishandling information. Employees’ understanding of the organizational and personal consequences of mishandling sensitive information is crucial to an organization’s success. Examples of potential consequences may include penalties levied against the organization, reputational harm to the organization and employees, and impact to an employee’s job. It is important to put potential organizational harm into perspective for personnel, detailing how such damage to the organization can affect their own roles.