Cisco Umbrella

Enterprise network security

Security

Creating a Culture of Security Awareness

By Ashley Williams

If you follow cyber security news these days, you’ll find that there’s a lot to keep up on. Threats exist everywhere. Just in 2014 alone, we’ve heard about the Heartbleed vulnerability in OpenSSL, the proliferation of remote-access Trojans (RATs), and it’s starting to feel as though there is a major data breach at a prominent company somewhere in the world almost daily.
As a result, this has led us into a sense of unease when it comes to how our money and information are handled by organizations whom we’ve trusted to keep them safe. Some out there may feel powerless to do anything about it; paying for items with cash only and hiding your money under a mattress seem almost reasonable when you’ve had to change your credit card number three times in one year.
This brings us to the world of security practitioners and information security. These people are tasked with ensuring the confidentiality, integrity and availability of data, which we already know is no easy feat. Not only are people who work in this field responsible for the safety of data, but they’re verifying that the clients and applications that may access said data pass security muster as well. This means finding and closing loopholes in local applications, examining past and present network traffic for any anomalies, and having a deep understanding of existing software vulnerabilities and how threat actors may exploit them.
While a security practitioner may get excited about this kind of talk, this is where the non-technical of us tend to fade away from the conversation. Cross-site scripting vulnerability? Yawn. Goto fail? Yep, you’ve lost me. Unfortunately, our willingness to allow the conversation to shift into the uber-technical leaves the rest of us out, and often without the tools and education needed to protect ourselves, our data, and our company’s data. It’s not a coincidence that most data breaches are a result of human error.
However, the thing to keep in mind is that a malicious actor will not discriminate when it comes to raking in all that they can. You may have seen a few headlines recently stating that there is a shortage of security professionals, and the ones that are already in the field know what they’re up against. How do the rest of us, the non-security practitioners, help out, and keep ourselves and our data safe at the same time?
The first thing to keep in mind is that security is about awareness and context. Awareness is making sure that you’re entering your banking details on the correct site, and ensuring that site is using HTTPS. Context is asking yourself “is it a good idea for me to click the odd-looking video link in this Facebook post?”
We can use these ideas of awareness and context to protect our own data, as well as the data of the company for which we work. In the same way we don’t hand our kids over to the first creepy old man wearing a t-shirt that says “baby-sitter” on it, we shouldn’t be handing our data or the “keys to our kingdom” over to the bad actors. Here are a few things the non-technical folks can do to help our security practitioner brethren:

  • Step up your password game: It is 2014. There is no reason for passwords to be scrawled on post-it notes anymore. There are a number of reputable password managers out there, 1Password and LastPass being two of them, and if you have an account with a service that supports two-factor authentication, turn it on! Gmail has it, as do Facebook and Dropbox, and so does OpenDNS for that matter.
  • Password-lock your screen: This way, nobody walking by your computer while it’s unattended can see any information you don’t want them to see. This will also deter your co-workers/housemates/anybody in close proximity from getting on your computer and changing the desktop wallpaper to an image from My Little Pony.
  • Greet people you don’t know: Are you in an office and see somebody walking around you don’t recognize? Ask them if they need help! If your office is anything like OpenDNS HQ, then that person is likely a new employee, and if this is the case, you’ve just met a new co-worker and made them feel welcome. Good on you! If this isn’t the case though, politely direct that person to your front desk or reception area; don’t allow them to walk around your office space willy-nilly.
  • Know your role: Why is this important? Spear-phishing is a method of gaining access to a company by sending a targeted email to an employee and imploring them to give up sensitive information. In my case, I work in our Customer Success department; therefore, I shouldn’t receive any emails asking me to click a link to review company financials, for example. If I do receive such an email, you’d better believe I’m giving it the side-eye and passing it along to one of our in-house security practitioners for review.
  • Be more discerning: Don’t be afraid to ask questions of people making requests! Our natural inclination, especially in the workplace, is to be as helpful as possible. In some cases, this results in us giving up too much information. Therefore, if you receive a phone call from somebody wanting sensitive information, don’t be afraid to double-check the caller’s name and role and why they need the information they’re asking for. If you’re dealing with maintenance or a repair person, find out what they need access to, and if their visit was previously scheduled. Otherwise, if the situation seems fishy, there’s a good chance it is.
  • Check your assumptions: Don’t assume you or your company won’t be targeted. In this day and age, there is no such thing as being too big or too small to be breached, and while many threat actors have specific reasons for launching attacks on various organizations (espionage, cyber politics, hacktivism, etc), there are some bad actors that will try to take your company’s website down because it’s Tuesday. Don’t make it easy for them.

With that in mind, even if you aren’t a security engineer working on the so-called glamorous technical work (or dirty work, depending on how you look at it), there’s room for all of us in this conversation about security awareness, simply because there is too much at stake. As a consumer, do you want to read about yet another data breach at some large organization with whom you’ve done business? As an employee, do you really want to read about your company’s latest breach and be worried about fielding questions from your customers? I didn’t think so.
If you’re a security practitioner reading this, we know your job isn’t easy. You have to have eyes on all systems and applications at all times, you have to filter through terabytes of data to find that needle in the digital haystack, and you have the sobering knowledge that there are very real consequences associated with things that go bump in the cyber night. We’re asking that you help us help you. Let the non-technical people know how we can participate in this conversation, and what we can do to make your daunting job less daunting. You can even make it fun for us! Gamification is an option, as is buddying up with your local marketing department to launch an internal campaign on the importance of cyber security awareness.
If you’re a non-technical person reading this, ask lots of questions of your technical brethren and really understand what’s at stake. Is it your company’s reputation? If you’re a business owner, is it your own reputation? How does a data breach affect your bottom line? As a consumer, will you need to go out and replace your credit card again for the fourth time this year? As an employee, will a breach at your company result in decreased revenue, and therefore less room for overall growth?
In the end, we’re all security practitioners in some way. At the very least, we all need to think like one because we all want the same thing: for our information to be safe and out of the hands of malicious actors.
From an organizational standpoint, the health of any business today is going to depend in part upon their security posture and the trust that their customers have in them. This is why creating a culture of security awareness among all parties is so imperative. Nobody wants to be caught with their pants down, especially not in a situation where customers’ trust is broken. Since none of us want that, let’s help each other cultivate that culture by asking questions, being patient with one another and understanding that we’re all in this together.