INTELLIGENT ENTERPRISE SECURITY
Why
organisational
policy and
security training
go hand-in-hand
Security awareness should be viewed as
a key enabler and not just policy and rules
restricting the business explains Morey
Haber at BeyondTrust.
Morey Haber is Vice President of Technology at BeyondTrust.
O
ne of my favourite spam emails
is the one from cybersecurity
companies soliciting security
awareness training for your employees.
Think about it. You are receiving spam
email, potentially a phishing attack, from
a company offering services on how not to
fall for a fraudulent email scam!
Security awareness is much more than
training, knowledge and attentiveness.
It needs to be part of the culture in your
business, a part of your everyday lives,
and is much more than identifying the
latest phishing email. Security awareness
is not a paranoia, but can be looked at in
the extreme if misunderstood. This was
certainly the case when Yahoo labelled its
security professionals the Paranoids.
Security awareness does require
education, but it also requires
intelligence, when to respond and when
to correctly ignore a situation. If every
event, alarm and situation becomes
a problem, security awareness is no
different than extreme paranoia.
38
This can take on many forms from
cybersecurity, to physical access. It can
be overly dramatised by requiring all
visitors to register their laptops upon
security check in to a building as a visitor
but then denying them even guest access
to the Internet or corporate network in
any form.
Security awareness needs a causal
relationship of action, threat and outcome,
not just a blanket statement of denial,
or a do not do. This is how we take basic
education and training past guidelines to
intelligence and attentiveness; knowing
why it is a problem versus just following
the mandate. Therefore, when we consider
security awareness education, we need
to consider the following factors in our
corporate training:
All businesses have crown
jewels. Whether it is sensitive data,
physical assets, personally identifiable
information, classified government
material or just private information
in general. Team members should be
trained on what this information looks
According to
a 2016 PwC
report, only 37%
of businesses
surveyed have a
comprehensive
security
and training
awareness
programme,
against a global
average of 53%.
Issue 12
INTELLIGENT TECH CHANNELS