If you’re like me, you think about cyber security all day, every day. You may even dream about it. It’s why I’m an IT security professional (and probably not the most interesting guy you’ll ever meet).
But since most people have other things on their minds most of the time, it takes a special effort to get them to focus on the importance of IT security. That’s where National Cyber Security Awareness Month—which occurs every October—comes in.
While setting aside a month to promote cyber security may not seem like the most hard-hitting tool to tighten security for your organization, it actually is a great opportunity to do just that. That’s because more than ever cyber security is all about peoples’ behavior and raising awareness is one of the best ways to have an impact on that.
What we have come to realize in IT security is that policy, compliance and governance alone won’t achieve cyber security for your organization unless people take those policies and rules and use them to make the right security decisions. The reality is that whether it’s people in their homes or in the workplace, we depend on individual behaviors to safeguard IT security—or anything else for that matter. If you don’t lock your door, people can walk straight into your house. If you leave your car unlocked, there’s a greater chance it —or something in it— will get stolen.
If you look at why people behave the way they do, it’s really because of a few particular things. First, attitude is a predictor of future behavior, so your end users’ attitude toward cyber security is important. And since you can’t have an attitude towards something unless you have some kind of knowledge and awareness about it, educating end users about cyber security issues is fundamentally important.
Now certainly your employees have a sense of cyber security issues, both from your internal efforts and from a steady stream of messaging about cyber threats out in the world these days. But people tend to have a fixed capacity regarding how many issues they can process at the same time. And while hearing about a security breach might get them to be more careful for a while, they eventually forget about it and move on to other things.
We all tend to do that. For example, last month when thieves broke into a house in my neighborhood, I feverishly made sure to turn on my home security alarm every single day for several weeks. But these days I am becoming less diligent about turning it on. The urgency has faded in my mind, replaced by other things. If there were another break in, I’d be careful to set the alarm again.
EMC Global Security Organization (GSO) doesn’t want to wait for a security issue for users to pay attention to security threats. Fortunately, EMC is a partner in this nationally-sponsored program to step up an information effort on cyber security and get peoples’ mindshare for this specific period of time.
From fun and games to videotaped executive testimonials on security and threat awareness seminars, we at EMC GSO are going all out to engage our end users in security awareness this month. It ties in with our year-round end user awareness program called EMC FirstLine. What we do this month will serve as a platform to launch new capabilities and new programs to raise security awareness.
Like the rest of our industry, we have shifted our IT security approach over the years from a centralized approach of imposing security restrictions on our users to driving risk decisions back out to users in the business and giving them increased responsibility. Although it is essential to our ability to keep our users safe, technology is not a panacea, and users will continually be faced with online trust decisions. Too, people can always find a way around security controls if they want to. Through FirstLine, we provide users with the tools and education they need to make responsible decisions.
This strategy is particularly important in a technology organization, where we seek to attract people who are free-thinkers and innovators. Unlike a more regimented environment, our end users are less inclined to do something just because we tell them to. They tend to make their own decisions based on their understanding of the issues.
Our job is to put enough information into their minds that when it comes down to making security decisions, they’ll understand the implications of doing or not doing something. The good news is our investment in making our users the first line of defense against security threats is paying off. We are seeing more people reporting things like phishing. The measurements we have in place are showing a greater security awareness in general among our end users.
Ultimately, our core messages for this National Cyber Security Awareness month are the same as they were last year and the year before: Our employees are our First Line of defense against cyber threats; think before you click. All worth repeating in a time set aside on a national level to get folks thinking about a subject that doesn’t fill most peoples’ dreams but can help us avoid cyber security nightmares.
To learn more go to:
RSA’s “Speaking of Security” Blog: https://www.rsa.com/en-us/blog
The SANS Institute’s “Securing the Human” Blog: http://www.securingthehuman.org/blog