Security Awareness for Managers: Protecting Yourself and Your Company

We’re delighted to be featuring well respected security body ‘InfoSec Institute’ as guest bloggers for ‘Don’t Get Blogged Down by Technology’. At TSG in our blogs we will often talk about the ‘people’ aspect of IT Security and how they are your first and last line of defense.

Here Jennifer Marsh from Infosec Insitute explains the ways in which your people can be targeted by cyber criminals, and how and why you can raise awareness within your organization, and some practical advice on how to empower your people to identify malicious attacks. 

Numerous zero-day incidents are introduced into the web ecosystem each day. For this reason, security awareness training (SAT) is a top priority for organizations that rely heavily on technology. Security training helps educate personnel from staff to executives on the ways hackers steal data. It helps managers identify risk, control issues, understand attack vectors, and learn to mitigate damages before they become financially draining to the organization. Ultimately, security awareness training reduces risk across the business and helps managers deal with issues quickly.

Why is a Security Awareness Campaign Necessary?

As new attacks are created each year, security awareness helps reduce the number of successful attacks against an organization. For instance, social engineering is one method that continues to threaten corporate assets. Social engineering is when a hacker tricks a user into handing over their user names and passwords, then uses that information maliciously. For additional information on social engineering, check out this article for details. With the right security awareness program, users are educated on how to spot these threats immediately to avoid giving sensitive data to hackers.

Security campaigns empower users to report incidents as they occur. With the right education, users identify suspicious behavior and report the incident to the right manager. These actions give security professionals the ability to mitigate the risk more quickly before it spreads to more users. For instance, hackers target employees using phishing emails. A phishing email is a fraudulent email that is used to trick users into entering their personal information into what they think is a known and trusted website. An educated user is more likely to identify the phishing attempt and report it to the security manager. Managers can then warn users and block the source before more emails are sent to internal personnel.

These security campaigns don’t just educate users internally. They also help protect assets while users travel. Most traveling employees use corporate assets that contain sensitive data on hard disks. Stolen laptops, smartphones or tablets are a concern for organizations. The right security awareness helps users understand the importance of security these assets from theft. It also helps them understand threats related to Wi-Fi and public networks.

The organization can’t just train employees once. These programs are a continual event that keeps employees up-to-date on the latest technology and information. Security policies should be an integral part of staff day-to-day tasks whether it’s sharing a file or emailing customer information to a third-party. It’s a repeated event that should be done annually to educate users often.

Organizations can add as-needed events to train employees throughout the year, but training should be continued to avoid potential new threats.

Why Security Awareness is Important for Managers

Security awareness shouldn’t be limited to just staff. Managers, executives and even owners should be a part of the campaign. As a matter of fact, having credentials from executives is far more valuable to a hacker because of the level of access given to them. Managers can also be promoters for security and protection of assets.

Since managers understand their team, they are beneficial for their organization of the program. Managers can identify employee weaknesses in security education and address the issue with additional training. They can also organize groups and schedule the right training among teams.

Some managers are as unaware of security and cyber threats as staff, so they can benefit just as much from training. Security policies are only as secure as the weakest link, so managers should be advocates as well as students in the program. Managers also act as data owners, so they can help drive development of controls for proper access and permissions.

Part of security training is to help educate managers on technology and cyber threats. This facilitates overall protection of assets as managers can help train their staff on best practices. They can educate employees on general security policies and give direction when an employee needs clarification and questions.

The result of manager training leads to positive impact on security for the organization.

How to Train Managers

Executives and managers usually don’t have the open schedule to sit in hour-long training sessions. For this reason, IT prepares a specialized training schedule for upper management. Some organizations ask managers to attend with employees to show commitment to the program, but it’s not always necessary. Security training for managers is usually cut to a short, straight-to-the-point sessions that don’t take too much time.

Highlights include an overview of corporate security policy, current threats and risks, managing these risks, and assisting employees with training. Some topics are only relevant to managers such as traveling and internal threats.

Managers are valuable targets for hackers, so they are targets for spear phishing and advanced persistent threats. A specialized training session for managers includes educating them on how to identify these threats.

Other discussions revolve around past incidents and the methods used to mitigate them. IT first validates a threat, mitigates it, and provides reports for senior managers to review. The lessons learned from previous exercises are usually a part of these reports. These lessons help educate managers on what they can do to stop threats before they have high financial impact.

Some organizations offer group sessions and training to make security awareness more interactive. This is especially useful when educating users on social engineering attacks.

Conclusions

Several cyber attacks can be avoided if employees are educated on signs and responses towards incidents. Employee negligence is the leading cause of security breaches, and security awareness is an affordable way to avoid costly mistakes. Security awareness has a massive positive impact on the overall protection of important assets.

Businesses continue to rely heavily on technology, so these threats only continue to increase. Campaigns prepare managers for events and give them the tools needed to handle security issues before they become financially damaging. It also helps them respond to threats quickly and report any suspicious behavior.

Your managers can be advocates of security and IT management. With the right training, managers can help facilitate a safer working environment.