People

People are often referred to as the weakest link in an information security program. Through either intentional or accidental misuse of access, people often leave networks and organizations exposed.

“All  it takes is just one weak link in the chain for an attacker to gain a  foothold into your network”.

All too often, security programs tend to focus on technical controls rather than the human element. In addition to managerial, technical, and operational security controls we also need human controls to account for what NIST describes as the ‘People Factor’ such that we can help create an environment that constantly reminds people of the ‘right thing’ to do.

“Your organization can be bristling with firewalls and IDS, but if a naïve user ushers an attacker in through the back door you have wasted your money”.

Although the weakness that people present can never be totally eliminated, a well-planned security awareness program can help to reduce the risk to an acceptable level. It is critical that users understand their role in protecting information and information assets. [SANS Institute 2002]

That’s where we come in by helping security leaders in organizations across the world to build and develop customized security awareness programs, along with dynamic content specifically targeted to your users.

We recognize that ‘One Size Doesn’t Always Fit All’ and that messages and content delivery that works for some users, will be less effective with others.

You can bombard users with content and reasons why they need to follow security policy, but at the end of the day it all comes down to messaging – and having that message resonate with those receiving it, so that its sticks and gets put into day-to-day practice….no matter how busy or how distracted that user may be!

Objectives

We believe that the primary objective of a security awareness program should be to educate users on their responsibility to help protect the confidentiality, availability and integrity of their organization’s information and information assets.

Information security is everyone’s responsibility, not just the IT security department. It is critical that users understand not only how to protect the organization’s information, but why it is important to protect that information.

“People are often the weakest link in a security chain, because they are not trained or generally aware of what security is all about. Employees must understand how their actions can greatly impact the overall security position of an organization”

An awareness program should reinforce security policy and other information security practices that are supported by the organization.

“Security awareness helps minimize the cost of security incidents, helps accelerate the development of new application systems, and helps assure the consistent implementation of controls across an organization’s information systems”.

The goal of awareness should be to raise the collective awareness of the importance of security and security controls. Awareness messages should be simple, clear and presented in a format that is easily understood by the audience. The goal of training should be to facilitate a more in-depth level of user understanding.

Training

Our security awareness and training content is highly adaptive customized to meet your needs. That being said, we base much of our content on guidance from the SANS Institute,  NIST (National Institute of Standards and Technology), and ENISA (European Network and Information Security Agency).

Our training approach follows recognized standards and guidelines from the NIST Cybersecurity Framework and SP800 publications to “aid an organization in expressing its management of cybersecurity risk by organizing information, enabling risk management decisions, addressing threats, and improving by learning from previous activities.”

Security awareness training should be the process of educating people about:

  • the risks and vulnerabilities facing their business environment
  • the tools they can use to minimize these risks and vulnerabilities
  • the mechanisms a company has in place by which people are able to keep their knowledge current.

Furthermore, it should reduce risk through creating:

  • Awareness of confidentiality, availability, and integrity risks that face the business
  • Awareness of vulnerabilities that affect computing systems with which users interact
  • Knowledge of corporate policies and procedures designed to address these risks
  • Understanding of roles and responsibilities

To be successful, we believe that security awareness training needs to be relevant, effective and entertaining, not dull, boring and mandatory. This should be a mixture of formal and informal training, delivered in multi-mode delivery formats to keep participants engaged, and with key themes presented and reinforced by ongoing awareness reminders to make learning permanent.

Furthermore we encourage a differentiated approach for various groups of users, such that in a hospital environment for example, nursing and support staff receive different training from that of physicians, which is different again from IT staff who usually have elevated access privileges and therefore may pose greater risk.

Some staff groups may need to meet very basic learning objectives on key themes to build foundational understanding, whereas other groups may need concise to-the-point instruction supported by business justification and reason. Highly privileged users may need to be reminded of their responsibilities and the need to consistently follow policies, procedures, standards and guidelines.

NIST Security Awareness Pyramid
NIST Security Awareness Pyramid

Through a gradual process of targeted awareness themes, user security awareness can be improved over time in order to reduce risks of spear phishing / social engineering, and other common attacks which negate the technical, administrative and physical controls already in place.

About Us

We’ve been in the cybersecurity business for the past 25 years – in fact long before anyone called it ‘cybersecurity’. During this time we have not only managed our own information security awareness programs, as security leaders in various organizations, but have also assisted many other organizations to build, refine or refresh their own programs with new and effective content that works.

We recognize that even the best leaders and best programs could use some fresh ideas from time to time and some help to raise the security awareness bar. We can certainly assist you with that.

For more information or to schedule a call please contact us via the ‘Contact Us’ section below.

Next Steps

We look forward to helping you.