What is it?
A state of understanding current security issues.
Why is it important?
Security awareness is important because employee mistakes are the number one cause of data breaches. Therefore, it is important to educate staff on security risks to help prevent cybersecurity incidents.
Why does a business professional need to know this?
Every business today needs to combat cybersecurity risks and, as such, must educate their employees and customers about the risks associated with their business.
Employees are primary targets for cybercriminals, and they need to understand how their actions can expose the business to a loss. Whether it is the risk of financial loss, loss of data, loss of privacy, or loss of confidential customer information, security awareness helps employees understand how to protect data.
Because employees are the first line of defense, they need to have a basic understanding of security risks. If employees have a baseline understanding of security issues, the business can be more agile combatting threats.
You can raise employee security awareness through effective training, but your efforts should not stop at training. Security awareness training is just one component of an overall security awareness program. Other components in such a program include newsletters, blogs, posters, teachable moments, computer-based training, security portals, and more.
Together, all of these elements can be the ingredients for a successful security awareness program. Although security specialists can create and deliver some aspects of a security awareness program, all business professionals are responsible for maintaining an awareness of potential vulnerabilities and the steps they can take to mitigate risk.
In addition to being a best practice, security awareness training is required to be in compliance with industry and governmental standards, including the Payment Card Industry Data Security Standard (PCI DSS), which is a global standard, and the Health Insurance Portability and Accountability Act (HIPAA)(HIPAA) in the US.
References
- (Knowbe) Knowbe4: Library of best practices, white papers, and free tools to help those attempting to develop cybersecurity awareness training programs.
- (Sans 2017) SANS 2017 Security Awareness Report: SANS Institute (2017). PDF. Registration required.
- (Amoroso) NIST Framework Overview: Amoroso, Edward G. New York University Tandon School of Engineering. Video. An introduction to the NIST framework and to many practical aspects of modern cybersecurity including awareness, compliance, assessments, and risk management. Registration required for the full course on Coursera.
- (Mediapro 2016) NIST Cybersecurity Framework Improves Security Awareness: Mediapro (2016). PDF. Registration required.
About Justin Orcutt
Justin Orcutt has worked with Fortune 500 companies to address information security and compliance concerns. Justin has supported incident response projects that investigated large-scale breaches. An active member of several organizations, including the Technology Association of Georgia, ISACA, and the Information Systems Security Association (ISSA), Justin is on the Gwinnett Tech Cybersecurity Program Advisory Board.
Term: Security Awareness
Email: jorcutt2017@gmail.com
Twitter: @jtech2014
LinkedIn: linkedin.com/in/justinorcutt