Developing a Cyber-Aware Culture
Let's start with a hard truth.
Cybersecurity is no longer just the responsibility of the IT department.
I didn't just say that, did I? I sure did, and I can prove it, but first- let's discuss it.
Protecting sensitive information is a team endeavor that calls for everyone in the organization (and business partners/associates) to be proactive.
Creating a cyber-aware culture is essential for data protection as well as for staying in compliance with multiple laws, including PCI DSS, ISO 27001, HIPAA, and others. We'll examine the significance of developing a cyber-aware culture as well as the functions and duties associated with Governance, Risk, and Compliance (GRC).
Image distributed by RiskOptics
Let's start with the easiest concepts.
What is GRC?
GRC is an acronym for Governance, Risk, and Compliance.
When we talk about cyber-awareness, we're talking about all three. However, governance stands out the most here. You can consider "governance" as the overarching force to guide organizations toward a direction.
That direction may be towards data protection with GDPR or the General Data Protection Regulation, another example of a direction is SOX or Sarbanes-Oxley, each with two very distinct goals that include unique processes.
The reason why I'm mentioning GRC for this post is to bring attention to the fact that user awareness and training are the epitome of governance in full effect.
From the way that we assume the role of stewards when handling sensitive data, all the way to paying attention to our daily processes for security, this is the result of cyber-hygiene.
Woah. That was deep. Do you do technical writing?
I appreciate that, but let's stay on topic.
The point is that training users to be aware of threats and risks is the most important aspect of GRC. Without awareness, we cannot identify risks. And if we cannot identify risks, we're unable to evaluate or mitigate them.
It shouldn't be a surprise though, as this isn't a foreign concept.
Think about yourself and your day-to-day.
- Did you lock your door before you left the house today?
- Didn't you set up your phone to have a code or some biometric to unlock it?
- Have you ever had a moment where you remembered that you left the oven on as you pulled out of the driveway?
Alright, you proved your point. But how do we do it?
It starts with support from senior management. Governance flows from the top down, so we need to develop a security awareness program throughout each relevant department.
The way I would approach it is to identify how these audiences interact with sensitive information.
What is their process?
How is the data handled and managed?
From there, we can address the risks that could be realized, and use the information to develop a presentation (or series of presentations) to address the risks associated with relevant personnel's roles. IE. Properly cross-shredding confidential information at the end of an existing data retention policy.
But it isn't enough to do a simple presentation, we need measurable results.
How effective is our security awareness program?
What you can do (for example) is present a test/quiz on the relevant topics that are covered in the training. After a week or so, I would set up a social engineering exercise. If the topic were, for example, E-mail security, we could send out demo phishing emails to measure who opened the email, clicked, registered, and even entered information into a form. Then follow up with the users for training reinforcement. Of course, as long as senior management is on board.
Security Awareness Maturity Model developed by the SANS Institute
This is how we become more mature.
We may be working remotely, but is someone on-site to test for tailgating and physical security? It is a requirement throughout Requirement 9 in the PCI DSS.
It's in every requirement, along with a matrix of roles and responsibilities for users performing duties, along with policies and procedures.
It's also in Clause 7.3 of ISO 27001.
Because user error is the leading cause of security incidents, user awareness and training are the strongest things we can do to secure our physical and information assets. I would even say more than rigid access control, but all of it works together for a greater purpose.
As a parting gift, here are some resources to help with developing a cyber-awareness program.
- Information security awareness ppt - Google Search
- Google Forms: Online Form Creator | Google Workspace
- Cyber Security Blog | SANS Institute
- CISA Cybersecurity Awareness Program | CISA
- ISO/IEC AWI TR 27109 - Cybersecurity education and training
- Free Phishing Security Test | KnowBe4
- SP 800-50 Rev. 1, Building a Cybersecurity and Privacy Learning Program | CSRC (nist.gov)
Hopefully, this has been helpful for you. If not, we'll try again next time.
If you would like more information or tools to help advance your cybersecurity efforts, let's connect on LinkedIn or leave a message on the Contact Page.
"Education is the most powerful weapon which you can use to change the world." - Nelson Mandela
SHARE
Subscribe.
Sign up for our newsletter to get the latest weekly posts for cybersecurity-related tools and information.
ABOUT
This website is published to share cybersecurity-related information, resources, and posts written and curated by Christopher Monroe.
Created with © systeme.io • Privacy policy • Terms of service