Security awareness has become one of the most important investments a company can make. In this article, we’re going to explain everything you need to know to safeguard your business against a growing threat.

The Definition of Security Awareness

Security awareness is a formal process for training and educating employees about IT protection. It involves:

  • Programs to educate employees
  • Individual responsibility for company security policies
  • Measures to audit these efforts

Obviously, the first bullet point is the main component of a security awareness program, but it’s just as important that employees are held accountable and steps are taken to gauge the effectiveness of an organization’s security measures.

Security awareness can be broken down into four stages:

  • Determining the current status
  • Developing and crafting a security awareness program
  • Deploying said program to employees
  • Measuring the progress made by the program and revising as necessary

Before we begin describing the various types of security awareness, let’s take a look at the history that has brought us to this current point.

A Brief History of Security Awareness

The history of cyber security goes back almost as far as the Internet itself. Indeed, from the very beginning of the World Wide Web becoming a mainstream resource, criminals have been using it to their advantage.

One of the very first examples of this particular type of crime occurred in the early 1980s. A group known as the 414s (named after their Milwaukee area code) was arrested for breaking into roughly 60 different computers. These included devices in the Memorial Sloan-Kettering Cancer Center all the way up to ones located in the Los Alamos National Laboratory.

The government was quick to respond to this new threat. Laws like the Computer Fraud and Abuse Act were passed in order to prevent and punish attempts by these malicious parties. The Computer Emergency Response Team was also formed in an effort to investigate the growing number of hacks and potential methods of protection.

The decade would end with the first recognized version of a worm. Robert Morris was the hacker behind the attack and, even in the beginning, these self-propagating viruses were capable of massive amounts of destruction. In fact, it shut down almost the entire World Wide Web at the time. Morris’ virus was also the first version of a widespread DoS (Denial of Service) attack.

This and subsequent attacks are of interest because they were the impetus for much of what we think of as cyber security today. CERTs (computer emergency response teams) were created as a result. With this attack, companies began realizing how vulnerable they truly were. An adage we now hear all the time in the cyber security community, “Prevention is better than a cure,” was coined around this time.

Through much of the 1990s, hackers continued their assaults, though most of the victims were government agencies and huge multinational corporations. After all, the Internet wasn’t a widespread tool at this point.

One of the first examples of hacking that affected the mainstream public took place in 1997. The search engine, Yahoo!, was the target. Hackers claimed that a “logic bomb” would be detonated on any PC using Yahoo! on Christmas Day if famous hacker Kevin Mitnick wasn’t released from prison.

The claim was a bluff.

Another example occurred in 1998; the Bureau of Labor Statistics became the victim of one of the first versions of spamming when it received hundreds of thousands of information requests.

As a result of these and other cyber attacks, the U.S. Justice Department introduced the National Infrastructure Protection Center. Its mission was to safeguard the country’s telecommunications, transportation and technology systems from hackers.

The Rise of Modern Hacking

It was really in the early to late 2000s that hacking evolved into the widespread problem that we know today. Again, much of this goes back to the proportional increase in targets (e.g., more and more people using the Internet).

At the same time, hacking was becoming much simpler. Gone were the days when the only people who were able to execute these attacks had technical skills equal to or better than the foremost programmers in the world.

There was also a proliferation of information about how to hack. Someone who had never even attempted a cyber attack could become a real threat in under a month.

In 2005, a hacker named Albert Gonzalez used his abilities to create a criminal ring of hackers – digital organized crime, if you will – to steal the information from more than 45 million payment cards issued by TJX, a U.S. retailer that owns TJ Maxx and the UK version, TK Maxx.

Before being caught and sentenced to 20 years in prison, Gonzalez’s squad would be responsible for $265 million in damage.

Aside from the obvious scope of the crime, this incident is remarkable because of the effect it had on businesses. The nature of the stolen data was regulated, so each incident required that the authorities be notified. Furthermore, these companies needed to set aside money to compensate the victims.

This was a landmark example because it immediately became clear to the business world that hacking was far, far more than just some nuisance.

Modern-Day Security Awareness

As you’re probably well aware, cyber attacks have not slowed down. In 2013, the breach of Target’s security measures was another shocking reminder to the world of just how vulnerable even the largest corporations were. Some 40 million customers spent the days following Thanksgiving checking their accounts to see if they had money stolen.

The other reason the Target attack is being brought up here is because the level of sophistication used is another milestone in the history of cyber security. As opposed to the direct attack on TJX, the criminals who succeeded with Target knew the importance of a direct approach.

They chose a third-party company that supplied Target with heating and ventilation solutions.

The hackers also realized there was a precise moment when they’d have to strike. Credit card numbers were present and unencrypted in the memory of the system for just a short time.

Again, this also showed the business world that the fallout from such an attack would send ripples in every direction. Cyber security is now a board-level concern as, in the wake of the theft, the CEO of Target actually stepped down.

Types of Security Awareness

With the above in mind, it should be very clear that companies must take security awareness seriously. There is, of course, a place for digital security and the professionals who are able to install and run it.

However, more and more, hackers are succeeding because of phishing attacks and similar versions that rely on companies’ employees to open the door for them.

The Top-down Approach

One very important feature of security awareness is that it can’t simply be the duty of the employees to learn the measures they need to take and apply them. That’s important and we’ll cover that in more detail in a moment, but it should be obvious that a top-down approach is required.

Again, the Target attack made this abundantly clear when the company’s CEO actually fell on his sword as a result of the breach.

For one thing, anyone from a manager up to an executive is going to be an easy target if they are not aware of the potential for attacks and how they can be successful.

This knowledge, though, must also carry over to ensuring that each and every employee is also aware and also capable of keeping the company safe.

Budgeting for Security Awareness

One good indication of whether or not a company is taking security awareness seriously can be found in their budget. How are they treating security awareness as a priority? How does it measure up to other ways funds are allocated?

If your company’s idea of security awareness consists of an email every now and then to remind people of the possibility of an attack, you have to expect that you’ll soon be a victim.

To be clear, security awareness is just one piece of a viable protection plan. Other pieces would include:

  • Creating a security policy
  • Assessing your company’s vulnerabilities
  • Investing in security technology

However, nothing is more important than security awareness. Companies should be spending as much on this investment as they do on the software and other forms of security tech. None of that will be remotely helpful if your people are easy targets for phishing attacks.

An Organizational Structure Dedicated to Security Awareness

This type of security awareness is vital because it affects everyone in the company. Much like the top-down approach, having an organizational structure built around security will make everyone’s job simpler.

If at all possible, you should have a team of people who are responsible for implementing your security awareness program. At the very least, an individual at your organization must take this job.

Otherwise, security awareness becomes a chore that gets passed around, but no one takes it seriously. The team or person responsible for ensuring that the opposite happens must have the full support of the executive team.

Create a Plan and Related Documentation

The plan for every company is going to be a little different, but this is an important type of security awareness that deserves some attention here. Features of your plan should include some version of the following:

  • Outlining the security awareness team and the roles involved
  • A mission statement of the security awareness program that explains its necessity
  • A calendar of activities for the entire year that involves regular activities – not just reminder emails – designed to make sure employees understand common threats and what their role is for preventing them
  • Programs for new employees that explain the security awareness program and their roles
  • References to company security procedures and policies

Again, these will differ slightly by company, but some version should be present. You can’t afford to make the mistake of thinking that your organization somehow won’t be affected by cyber criminals.

Using Different Forms of Media to Reinforce the Message

We’ve touched on reminder emails about security awareness a couple of times. That’s not to say that emails are a bad thing. They’re perfectly fine and everyone needs reminder from time to time.

That being said, you should use multiple forms of media to make sure your company’s messages about security awareness never go ignored.

For example, your calendar of events should involve a security expert at your company getting up in front of people and explaining important topics. Videos can be sent out over email, as well. Tests can be used. Physical reminders around the office may work. The list goes on and on, but the point is not to become complacent about how you deliver the messages about security awareness.

Highlight Recent Attacks in the News

This is an extremely important form of security awareness. However, make sure you’re highlighting all kinds of attacks, not just the ones that make national news. The goal with this approach is to show your employees how prevalent these attacks are, how easily one could succeed with your company, and what the fallout entails.

For this reason, don’t simply highlight the stories that make national news. It’s all too easy for an employee to think, “Yeah, but we’re not Target. No one would bother with us.”

Find the stories about companies your size and/or in your industry. Sadly, it doesn’t look like there is going to be any lack of these incidents going forward.

Seek the Services of a Professional

If you have absolutely no security awareness measures in place at the moment, it’s worth thinking about taking on the services of a professional. They’ll help you get up and running and make sure you quickly make up for lost time.

Even if you have invested in a security awareness policy and other measures, it’s still not a bad idea to bring on an independent consultant from time to time to see if there are areas where you can improve.

Security Awareness in 2017 and Beyond

If 2016 showed us anything, it’s that cyber attacks aren’t slowing down.

The future of security awareness will be heavily invested in prevention education. After all, a company is only as secure as its employees are able to provide protection. With the proliferation of phishing attacks, cybercriminals are all too aware of where it’s best to strike an organization.

From a technical standpoint, it often seems like there is almost nothing we can do to stop hackers from launching successful attacks. Aside from investing in educating their employees, companies will also need to find the best possible ways of handling breaches once they occur.

One technical safeguard we will continue to see more of is encryption. It remains one of the most reliable forms of protection.

Now that you understand the history of security awareness and what needs to happen to make sure your organization doesn’t earn its place, take action today by investing in this very important protocol.

Sources

http://gophishyourself.co.uk/free/

http://www.business2community.com/strategy/4-steps-building-security-awareness-program-01709862

https://www.linkedin.com/pulse/7-essential-security-awareness-training-topics-mike-carthy

http://www.sptimes.com/Hackers/history.hacking.html

https://www.infosecurity-magazine.com/opinions/the-history-of-cybersecurity/

https://securingthehuman.sans.org/blog/2011/01/12/top-ten-security-awareness-topics-roundup

http://www.csoonline.com/article/2133971/strategic-planning-erm/6-essential-components-for-security-awareness-programs.html

http://csrc.nist.gov/organizations/fissea/2006-conference/Lindholm-FISSEA2006.pdf

http://searchsecurity.techtarget.com/definition/security-awareness-training

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Ryan
Fahey

View more articles from Ryan