Breaking Down The Critical Security Controls: CSC 17 – Security Awareness
The Critical Security Controls up to this point have been focusing on the technology and policies around the technology. In security you can have all the tools and rules you want but the weakest link, is and will always be, the people. People that create, manage and use is your biggest problem. The best way to mitigate and minimize that risk is to increase education and awareness. Train everyone. Security is not an IT problem, it’s everyone’s problem. The next control, number 17, is all about security awareness and training.
Here’s what the control says –
For all functional roles in the organization prioritizing those mission critical to the business and its security, identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.
The control is vague on purpose for who this covers. I have always focused on and told clients, if they are getting a paycheck they need awareness training. If they touch your systems, like a vendor, 3rd party service, etc… they need to know what you are doing and what is expected of them. Be transparent, clear, and open to your security posture and more importantly why you have all these tools and rules in place. Never assume people will understand why you have a complex password rule, require a token to login with, restrict Internet access to limited areas. All the employees will see are obstacles, inconveniences and annoyances. Worse, if they can get around your processes they will. The bare minimum is what will happen from the behavior of people over time when it comes to security. That is, unless they are more aware and cognizant of the challenges and risks around them.
Establish a security awareness presentation for starters. Cover the basics of security. Password handling, workstation protection, physical security and external threats should be covered. Most importantly there should be a connection between security and the work they do. Most security awareness training I have seen are standard topics. They are boring, they are the same across industries and people click through them but do not really retain the content.
If you want people to learn what you want them to make the content relatable. Link it to what’s important to them and what’s important for the company. When you can explain the Why you are doing something, people will listen more.
In more mature environments you should have a central learning system. Train and push out content centrally and you can track and trend how people are performing on answering the questions.
Keeping the business aware of ongoing security topics goes far beyond an annual awareness test. Transparency, open communications and involvement across the business will bring awareness to you and your program.
One aspect that I found great success with is a Security Newsletter. Each payday, which for most is about every two weeks, I sent you a Security Connection email along with HR notices. In that I had a short paragraph on a new initiative coming, audits going on, and provided security tips for home use. That was the biggest success is bridging the security practice of an employee’s home life to corporate security posture.
How It Could Be Exploited
Security awareness will help improve a person’s use of technology and data. Mistakes still happen and will happen but if a person is equipped with a few of the risks and consequences of certain actions they will slow down a bit and think about it. Social engineering, spam emails, strange attachments, bad downloads, poor websites are all action by individuals. Behavior can be guided, not controlled (bad word) but guided to make good decisions.
Social engineer is the most popular way to attempt a hack. It’s easy, low tech and highly successful.
As I tell every single person I work with –
It’s better to hesitate and ask than click and be wrong.
End of line.