INTELLIGENT ENTERPRISE SECURITY
like, how to handle sensitive information
and what could happen to them, and the
business, if the information is stolen,
physically or electronically.
Security awareness also has a
legal component. All employees,
contractors and applicable third parties
handling sensitive information should
be trained and, when appropriate, sign
a nondisclosure agreement.
Labelling and handling of
sensitive information is key.
This could include labelling emails
as confidential, appropriate levels
of encryption for storage and
transmission, and even include the
destruction of material from shredders
to wiping disks securely.
Concepts of authorisation and
authentication are key to security
awareness. This includes everything
from biometrics, to passwords and
multi-factor authentication. Context
aware access from geolocation to
concurrent login information is a
major part of this and ensures proper
methods for protecting access to
sensitive information and applications
as appropriate.
Traditional security awareness
training covers threats, modern
Security
awareness is
much more
than training,
knowledge and
attentiveness, it
needs to be part
of the culture in
your business.
There is the risk
for individuals
to deliberately
or accidentally
steal, damage,
misuse
information or
assets prized by
an organisation.
attack vectors, malware, phishing,
social engineering. This is more
than just do not click on a link. It needs
to cover why you should not click on a
link to raise the bar of attentiveness and
ultimately intelligence.
Physical access is just as much
a part of security awareness
training as cyber. This includes
building access, door access, security
badges and reporting of incidents. If
a stranger is present, how would you
notify the appropriate people? This
also includes possessions that should
never be permitted in the workplace,
even personal computers.
Team members should be aware
of the consequences in the
event of a violation. This could be
personnel discipline but also should
establish ground rules for what can
happen to their employment or
company if a violation occurs. If people
understand the risk, and why, they are
more likely to show attentiveness to
the problem than if it is just policy.
In the end, security awareness means
you comprehend that there is the risk for
individuals to deliberately or accidentally
steal, damage, or misuse the information
or assets prized by an organisation.
Raising awareness can come in many
forms from education to cultural changes
but, in the end, it must be a part of daily
business in order to be effective.
Just by stating we have done
our annual security awareness
training is simply not enough but,
unfortunately, this seems to be the case
in several businesses in the Middle
East. According to a 2016 PwC report,
only 37% of businesses surveyed have
a comprehensive security and training
awareness programme, against a global
average of 53%. Furthermore, only 32%
of Middle East organisations require
their employees to complete training on
privacy policies and practices, compared
with 55% globally.
Any good executive understands the
importance of measuring the business.
I would encourage all teams to measure
Security
awareness
needs a causal
relationship
of action,
threat and
outcome, not
just a blanket
statement of
denial, or a do
not do.
the effectiveness of security awareness
training, policies and procedures via
penetration tests and role playing. This
could even include basics like online
based situational tests that are required
for all users to participate to confirm
basic knowledge transfer. Therefore,
security awareness should be viewed as
a key enabler, not just a policy and rules
restricting the business. If anything, it
could end up saving your business.
39