Cyber security awareness month winds up today, but before it ends we’ve got more advice from Symantec to pass on to infosec pros that hopefully will be useful in their work.
It comes from Jamie Manuel, information protection manager at Symantec, who reminds CISOs that employee awareness training is always worth it.
“A lot of companies focus on external threats, which are important,” he said in an interview, “but in terms of educating employees they’re really the front line and their actions can greatly increase your odds” of being more secure.
So it’s important to make sure everyone on staff understand the organization’s security posture and how how doing – or not doing certain things can put the firm at risk.
The trick, of course, is getting the message through.
As we’ve written this month through our interviews and coverage from the SecTor cyber security conference, many experienced in the industry say repeatedly that security awareness training has to done more than once a year. Many think it should be done monthly.
This can be as simple as a monthly rotation of posters, a regular email blast. But Manual insists the message has to be drummed in – and the message has to have two themes, he adds: Not only is cyber security important to the company but to you in your personal online activities such as online banking.
One way to re-enforce the message is to give a reward for those who take and/or score high on awareness tests – and the reward is something functional such as a year’s subscription to anti-virus software, Manuel said.
Still, there’s a lot that isn’t getting though. Manual said he was “shocked” at a survey showing 69 per cent of Canadians think free publicly-available Wi-Fi is safe.
“As Canadians we don’t seem to understand [cyber security awareness] as well as other countries,” he said.
“It’s like you’re always told to stay healthy and eat right, but until you have a bit of a scare that can affect your bottom line it comes out of the fog and see things with clarity… but you want people to think about this all the time.”
Also this month Norrie Johnston Recruitment (NJR), British-based global executive search firm, released some interesting statistics on poor security practices by employees.
Twenty-three per cent of staff use the same password for different work applications, the company said, 17 per cent write down their passwords, 16 per cent work while connected to public Wi-Fi networks and 15 per cent access social media sites on their work PCs.
CISOs need to emphasize these points to staff, NJR says:
1. Beware of open wireless access points for sensitive online work including accessing corporate resources and sensitive personal sites involving finances and social media;
2. Before downloading mobile apps read the fine print. Why would a parking app need to access your photos, contacts, text messages?
3. Practice safe passwords AND password recovery: Not only should have unique passwords for every site – and use a password manager to keep them under control – your password recovery answer should have nothing do to with your life or anything anybody could possibly know about you – particularly your mother’s maiden name.
4. Use common sense: Banks rarely communicate important account information via email, so if you receive an email from your bank that does, either logon directly to your application (without clicking through from the email) or call them by phone to verify. Getting into the habit of never clicking on links within an email or opening unsolicited files will save you a lot of hassle.