Creating A Cyber Secure Organization

Pawan Chawla, CIO, Future GeneraliAn Information Security & Technology Professional with 18+ years of experience in Cyber Security, Pawan is ensuring optimal utilization of resources

Is technology becomes more important in our lives, no data is safe. Cybersecurity awareness training is essential to a platform to share the knowledge that organizations can't afford to overlook.

Organization data is at risk. Organization employees may be hostages in the next threat from a highly skilled hacktivist or criminal. For several years now, most of the digital attacks to exploit the human factor is through phishing attempts and related efforts.

Malicious hackers and attackers seek to trick users into granting them access to a digital resource, long before they will try to hack their way in. To Simply put: People are the weakest link in any organization's cyber security defenses. And that's why employees are usually the first targets of cyber-attackers who use tactics and tools such as ransomware, spear phishing, malware, and social engineering.

Understanding the importance of Information Security Awareness in an Organization

The organization relies on employees as their primary resource for conducting business and interacting with customers. Of course, simple, repetitive tasks can be automated. But people will always be behind every automated task and on the other end of every phone call, email and chat session. And people represent the “human factor” in the cross hackle of cyber attackers. The only defense against such attacks is education.

Important to note, cybersecurity training must be repetitive, updated and constantly tested. Because of the rapidly changing environment and a long list of vulnerabilities, security awareness training also cannot involve a one-shot approach or a "set it and forget it" program.

Let us understand the Relevance of Information Security Awareness Training
Information Security Awareness training must start with the organization acknowledgment that its employees are the weakest cybersecurity link.

Employees in an organization are the first line of defense against cyber-attack.

Information Security Awareness shall consist of areas of exploitation, few of them are listed below
1. Spam ­ Spam is the main method of attack, not limited to direct email.

2. Social Engineering ­ Social engineering uses a variety of tools and recourses to gain access to targeted resources, it occurs when one person fools another into giving up access to a resource.

3. Phishing­-Phishing intends to lead the uneducated user to click on
dangerous links to gain access to employees' usernames, passwords, personally identifiable information, even financial information.

4. Vishing-A-vishing is conducted by Voice email, VOIP (Voice over IP), or landline or cellular telephone.

5. Spear phishing ­ Spear phishing tar-get high-profile individuals or people with access to valuable digital assets.

6. Advance Malware ­ Advance malware is a specific target mission attack typically aimed at an enterprise.

7. Ransomware-Ransomware attempts to steal credentials in the memory and attempts to propagate through the network using stolen credential or exploits.

Cybersecurity training must be repetitive, updated and constantly tested

Best practice to follow for Information security Awareness Program
There are seven practices to be followed before developing an organization's security awareness education program,

1. Security program shall comply with all local regulator and laws
2. Getting all on board, ALL MEAN ALL, the entire organization. All or Nothing
3. Create a clear communication plan
4. Make training intriguing and entertaining
5. Incorporate baseline assessment
6. Enforce, review and repeat.
7. Create a culture of reinforcement and motivation for constant vigilance and learning

Define Goal and Objective of Information Security Aware-ness Training
The reason behind developing an organizations information security awareness program is understood in the simplest term: SECURITY.

Any organization which holds or access sensitive data, the security of that data is the ladder to organization success and future business and growth.

And because employees are the most common target for hackers, it is essential for employees to have the proper training to recognize the threats and act to protect for an organization.

Where and how to start an Information Security Awareness Program?

Following are the steps I recommend for an organization to start an Information Security Awareness Program,

1. Identify the organization Information security requirement of an organization as they apply employees.

2. Determine the mode of delivery e.g. in-person, video, online, hands-on, etc.

3. Appropriate content is the key to the success of the program. Content can range from posters, email phish test, onsite presentation and testing

4. The setting expectation with employees plays an important role. Expectation shall clearly define, requirements and expected results.

5. Since every employee has different priority, multiple training sessions to be organized or planned.

6. Deliver training according to the expectation set prior.

7. Capture feedback from as many employees as possible.

8. Conduct post-training sessions to determine the effectiveness of the training.

9. Re-evaluate the training and training medium for effectiveness and adapt accordingly.

10. Correlate the implementation of training with security incidents to determine practical impact.

It is important for an employee to have a positive experience otherwise training will be seen as a burden on compliance than a vital mean of protecting the organization.