Security awareness is taught, not bought
Whenever there’s a security incident, two things happen:
- security vendors scream, ‘it happened because they weren’t using our product, so clearly you should or it will happen to you’
- governments scream, ‘we need to enact the Cybersecurity Act/CISPA/Communications Bill/delete-as-applicable/and substitute-at-will in order to protect you, you-know-it-makes-sense’
Both have an axe to grind, and grind it they will. The only group that doesn’t have an axe is the poor bloody CISO working away at the coalface; underfunded, overworked and making do – and it’s a welcome relief to hear what it’s actually doing.
Wisegate recently published a paper on CISO discussions between themselves. It followed an earlier analysis that showed a major, if not the major, threat that concerns them is their own staff awareness – or lack of awareness – about cyber security issues. This actually makes a lot of sense. Trend Micro’s study towards the end of 2012 showed that more than 90% of successful APT attacks start with spear-phishing. Spear-phishing is harmless until the target clicks on a link or opens an attachment – so if you can teach staff how to avoid being phished, then you immediately avoid possibly the most serious threat of today.
The only way you can do that is by increasing user awareness – and Wisegate’s paper, CISOs Share Innovative & Practical Ways to Improve Security Awareness, tells us how CISOs are actually tackling the problem. It’s worth reading, so I won’t give everything away here – except perhaps to point out that one of the biggest problems is silo security; the users’ view of an unapproachable arbiter of what the user can and cannot do… That needs to go. And the Wisegate report gives useful pointers on how to do it.
You can download the report from here