Lecture

LESSON 1: INTRODUCTION
TO SECURITY AWARENESS

SEC 101 – SECURITY AWARENESS

 LESSON OBJECTIVES

• 1. To understand the importance of security awareness.

• 2. Understanding the security awareness practices.
• 3. Knowing the vital role of security awareness in every organizations.

SEC 101 – SECURITY AWARENESS 1-2

 SECURITY AWARENESS
It is the knowledge and attitude members of an organization possess regarding the
protection of the physical, and especially informational, assets of that organization.

We live in a digital world, where an increasing amount of our day-to-day activities

have migrated online. We work, communicate, conduct commerce, and interact online, and our
reliance on cyber security has increased accordingly.
Cyber-criminals can effortlessly wreak havoc on our lives and businesses. Our
increased use of the internet and mobile usage gives them even more opportunities to exploit our
vulnerabilities. In the commercial sector alone, a successful cyber-attack can bring a company to
its knees, causing damage that, in some cases, cannot be recovered.
The cost of cyber-crime averaged $11.7 million in 2017 and $13 million in 2018, a rise
of 12-percent, and an increase of 72-percent over the past five years, according to Accenture’s
Ninth Annual Cost of Cybercrime Study.

Fortunately, there are processes an organization can initiate to help mitigate the effects
of cyber-crime, beginning with the essential first step of raising cyber security awareness.

SEC 101 – SECURITY AWARENESS 1-3

 WHAT IS SECURITY AWARENESS ?

Human beings are still the weakest link in any organization’s digital security system. People
make mistakes, forget things, or fall for fraudulent practices. That’s where cyber security
awareness comes in. This involves the process of educating employees on the different cyber
security risks and threats out there, as well as potential weak spots. Employees must learn the
best practices and procedures for keeping networks and data secure and the consequences of not
doing so. These consequences may include losing one’s job, criminal penalties, or even
irreparable harm to the company.

By making employees aware of the scope of the threats and what’s at stake if security
fails, cyber security specialists can shore up this potential vulnerability.

SEC 101 – SECURITY AWARENESS 1-4

 WHAT ARE THE BENEFITS CYBER
SECURITY AWARENESS TRAINING ?
First and foremost, a staff well-trained in cyber security poses less of a risk to the
overall security of an organization’s digital network.
Fewer risks mean fewer financial losses due to cyber-crime. Therefore, a company that
allocates funds for cyber security awareness training for employees should experience a return on
that investment. Furthermore, if all employees get training in cyber security practices, there will
be less likelihood of lapses in protection should someone leave the company. In other words,
you’ll reduce the chances that a security breach occurs because a critical employee wasn’t at
work that day.
Finally, a company with security-aware personnel will have a better reputation with
consumers, since most are reluctant to do business with an untrustworthy organization. A
business that is repeatedly subject to security breaches will lose customers as a result of negative
publicity, regardless of the actual impact of any particular breach.

To create this enhanced level of security, people need to be informed of best practices.

SEC 101 – SECURITY AWARENESS 1-5

 WHAT IS SECURITY AWARENESS BEST
PRACTICES ?
If you read enough business-oriented articles, you’ll eventually come across the phrase
“best practices.” It’s a nice bit of jargon, but what exactly does it mean? In generic terms, “best
practices” is defined as procedures shown by experience and research to produce optimal results.
These procedures get accepted as a standard for widespread adoption.

Much of cyber security can be broken down into seven main topics:
• Data breaches
• Secure passwords
• Malware
• Privacy
• Safe computing
• Mobile protection
• Online scams

SEC 101 – SECURITY AWARENESS 1-6

 The most commonly referenced security awareness best practices include:

• Getting into compliance - Different cities, states, and nations have different rules and regulations to
follow. Everyone must become aware of these rules because ignorance of the law is not an adequate
defense.
• Including everyone, even managers - It’s all or nothing. Anyone not participating in the new security
measures constitutes a possible weak link. If everyone isn’t fully engaged, it’s all for nothing. This
particular practice also assumes that all departments (e.g., HR, Legal, Security) must buy-in and help
make it a reality.

SEC 101 – SECURITY AWARENESS 1-7

Establishing the basics, which include:
 ANTI-PHISHING TACTICS - Employees need to be suspicious of emails from
unrecognizable sources. Phishing scams use emails to gain access to systems and
wreak havoc. Employees must be educated on things like suspicious links,
attachments, and untrustworthy sources.
 PASSWORD SECURITY - There’s no excuse for having the word “password” as
your password. They should be at least eight characters long, with both upper and
lower case letters, numbers, and a minimum of one unique character. Avoid mistakes
such as writing the password on a post-it note and attaching it to your computer.
 PHYSICAL SECURITY - This includes everything from physical access to your
company’s IT department to keeping your company-issued mobile devices and
laptops locked and within sight at all times.
 SOCIAL ENGINEERING - It’s crucial to raise everyone’s awareness of hazards,
such as attempts at manipulating employees into granting system access or divulging
confidential company information.

SEC 101 – SECURITY AWARENESS 1-8

 Clearly communicating your security awareness program - This practice is especially
important for middle and upper management. The higher-ups need to be kept in the
loop, apprised of the current progress, and, in rare instances, report if any individual or
department isn’t compliant.
 Making the training engaging and even entertaining - Company meetings and seminars
are often dull affairs that everyone does their best to avoid. Keep people engaged by
showing a humorous (yet topical) video or sharing odd and quirky security-related
anecdotes. Just don’t overdo it.
 Reinforcing important messages with reviews and repetition - People often make the
mistake of thinking that if they do something once, they don’t have to do it again.
Cyber security is an ongoing thing and should include occasional tests and checks,
scheduled at regular intervals throughout the year.
 Creating an environment of reinforcement and motivation - Promote constant vigilance
and learning by creating a security culture that runs through every organizational level,
down the entire chain of command. While it’s not necessary to continually harp on the
subject with employees and end-users, cyber security should be a very relevant,
everyday topic.
SEC 101 – SECURITY AWARENESS 1-9