Cyber Month: Thursday Thoughts with Thijs: Awareness
Just because you don’t immediately think of it, or can’t physically see it, doesn’t mean it doesn’t exist – ‘out of sight, out of mind’ is a dangerous mentality to have when discussing cyber. Anyway, the reason I mention this, is this week I wanted to focus on awareness!
The actual dictionary definition of ‘awareness’ is:
“Knowledge that something exists or understanding of a situation or subject at the present time based on information or experience.”
But what exactly does awareness mean in cyber security? Well, let’s think about it like this. Awareness and cyber security go hand in hand – you need to know what’s going on around you. Cyber security provisions in organisations should really be non-negotiable – now, you need to protect yourself from what’s going on around you. We’re constantly learning about the cyber landscape and (hopefully!) becoming increasingly aware of cyber in general, so apply that awareness to your workplace, too. Of course, this logic can be applied to a multitude of subjects, but very few change and move on as fast as the topic of information security, meaning that we need to be in a constant state of awareness to keep up with the changes.
A common remark in cyber is that ‘the weakest link within your information security strategy is the employee’, a variation on ‘you’re only as strong as your weakest link’, to generalise. Admittedly, that phrase may be occasionally true. But if a company is a victim of, for example, a ransomware attack, there’s a high chance that a lot has already been gone wrong in the run up to the attack. In theory, a single click on a URL or the opening of a file should not bring an entire company to a standstill/deadlock. It can, but it shouldn’t.
Within an organisation, awareness improvement activities shouldn’t only focus on the (new) end users, but also on the employees who set up and manage the infrastructure (both hard- and software). There are countless examples weak passwords in use on important administrative environments – even in national news! So, if things don’t go as planned and a malicious email or file enters the organisation, the end user should not be seen as the weakest link, rather the last possible line of defence. Awareness is more about the actual education of employees, who are actively involved in information security, and who are trying to improve it.
An organisation should therefore not have awareness simply as a tick-box exercise, but rather an integral part of the (information security) policy. This could be limited to mandatory parts of the onboarding process, but really should be throughout the full employment period. As an organisation, you can arrange everything concerning awareness independently – a luxury that smaller organisations can’t always afford. You could consider using a Learning Management System (LMS) provider, where employees can work on their awareness in an (online) environment in their own time, with each solution focusing on specific issues that are tailored/relevant to your organisations.
So, to sum up my Thursday thoughts on awareness:
- Awareness does not only apply to the end users in an organisation;
- Ensure that the employees responsible for the infrastructure (hardware and software) continue to expand their knowledge and skills;
- If the organisation does not immediately have the resources to set up a full awareness programme itself, make smart use of third-party services;
- BUT! If you do so, don’t forget to carefully review the agreements made (you can read about this in last week’s blog).
Need help setting up or improving cybersecurity awareness in your organisation? Resillion is happy to help. Contact us for more information.
See you next Thursday!