The online space has no bounds. We are all connected in some way. From our smart TVs and Wi-Fi-enabled home appliances to computers and mobile devices. we are surrounded by technology everywhere we go and probably didn’t think we would get as far as becoming dependent on it. Yet, we hear about data security breaches happening all over the world and to all types of organizations, and sometimes we don’t realize how close we are to being a part of one. All it takes is one account to open the gates – to getting compromised.
Unfortunately, we ourselves have become the primary attack vector for threat actors, as mentioned in the SANS 2022 Security Awareness Report (https://www.sans.org/blog/sans-2022-security-awareness-report/). These companies and vendors can only do so much until they’re left with no choice. How can we improve from here? Security Awareness.
To specify, we will be focusing on information security and end-users in particular. We’ll do a quick overview.
According to Infosec Institute (https://resources.infosecinstitute.com/topic/security-awareness-definition-history-types/), “Security Awareness is a formal process for training and educating employees about IT protection.” Because most of us these days are working online, whether it’s for work, education, or personal purposes, security awareness is no longer limited to employees but to everyone.
What are some of the topics security awareness covers?
Topics may include, but are not limited to:
- Email usage
- Social engineering/Phishing
- Online Safety
- Proper password hygiene
- Common errors and how we can prevent it
- Mobile Device usage
- Social Networking
- AUP (Acceptable Use Policies)
Who does it involve or affect?
It involves all end-users, which may include:
Overall, it would be any target that a threat actor chooses to attack.
Where is security awareness needed/Where can it be found?
It is needed everywhere and anywhere we have Internet access. Nowadays, we’re seeing educational facilities bring up online end-user awareness campaigns, especially with the rise of hybrid learning. Most commonly, businesses and large organizations implement security awareness as formal training. Considering how much damage one small mistake can do, it can either do little harm or completely negatively affect the business, whether it’s financially related or business closure. Because budget may be limited, small businesses that need training often are not able to implement it. This is now being made aware, and thankfully, online resources are made available to small businesses to help them get started. Here’s an article by Infosec Institute (https://resources.infosecinstitute.com/topic/security-awareness-training-can-protect-small-businesses/). For end-users in general, most well-known vendors and service providers offer free online security awareness training programs. Amazon offers a free cybersecurity awareness training course that anyone can take on their learning website: https://learnsecurity.amazon.com/.
When would security awareness training take place?
In terms of organizations, If it was possible, it should be an ongoing program however, there may be factors that hinder it from being constant such as time, budget, and resources. Most businesses opt for monthly, bi-monthly, quarterly, or bi-annually employee training depending on the factors previously mentioned. Others may do it annually but that may be a stretch.
How can we prevent ourselves from being attacked?
The key to prevention is being aware. Creating awareness of what type of cyber attacks have been committed allows an individual or an entity to be prepared for what may possibly occur. Then we can move on to taking action.
A few actionable topics to start with, that can be included and taught during security awareness training are:
- Setting up MFA (multi-factor authentication)
- Importance of password managers
- Strong password requirements (i.e. include uppercase, lowercase, numbers, and symbols)
- Wi-Fi and VPN usage
- Tips on identifying phishing emails
- Keeping workstations and devices updated and patch
- Online privacy
Why is security awareness important?
Since the start of the pandemic in 2020, there has been a surge of employees working from home or hybrid. Even many of the websites we visit nowadays require our information, for example, e-commerce, email lists, social media, and more. Because of this, so much of our personal identifiable information (PII) is being made available online in some way. With more network or website traffic happening online, users are more vulnerable to encountering an attack and sometimes might not even know it. There can be many tools implemented to prevent attacks to a certain extent. Raising awareness on common cybersecurity threats and risks can help users protect themselves and their assets, reduce anxiety, become less vulnerable, and be more prepared.
As mentioned earlier in this post, the online space has no bounds. Remember that behind every technology is a human behind it.
Security starts with you.
Resources to help you get started: