This was the title of my last post on the SecurityVibes website and relates to the July 4th cyber attacks on the US government that allegedly brought down several US government departments for days. There were several lessons to be learned from this attack but the one I want to focus on is the one that most organisations either don’t do or pay lip service to.
It isn’t technologically sexy, it doesn’t need to be costly, it vastly reduces the attack vector for botnets but if done badly can result in it being a total waste of everyone’s time. What is it?
On-going user security awareness education.
You see I’ve lost you now. Just because I didn’t talk about how easy it is to subvert SSL or the latest incarnation of Koobface or how the current Microsoft Directshow vulnerability is leading to more systems being compromised. Security Awareness Training is not sexy but it is vital and if it is not done correctly ends up being boring to the users and soon forgotten as a memory of something that wasted their work time.
However it is so absolutely crucial that organisations begin to understand its importance for their security posture that ENISA (the European Network and Information Security Agency) made it a top priority to get this message across to their member states in protecting Europe from Cyberwarfare, offering them free awareness videos and posters if that’s what it will take to help organisations put together a security awareness programme. At their conference in London, they brought in senior executives from international organisations to talk about what worked for them which resulted in a plethora of articles on top tips for organisations to implement a workable programme.
If you want to see what is possible in communicating simple messages to users then just think about how many times we tell users not to share or give away their passwords…yet they still do. Now have a look at how Barclays Bank have done it in this one and half minute video.
Because this aspect is so crucial to reducing the internal threat, cybercrime, the impact of employee related theft from the recession and system infections, I’ve listed some references below to free articles we’ve recently produced on this subject. Please do think about your security awareness posture. It is vital to yours and everyone else’s organisational and national security.
SecurityVibes Article: Security Awareness Initiatives: Top Lessons Learned from CISOs 1
SecurityVibes Podcast: James Gay, CISO for Travelex on User Education
SecurityVibes Article: Going for a coffee? Lock Your Desktop First