With employees getting repeated warnings about cyber threats and safe information security practices, it is not uncommon for them to consider them as routine precautionary messages and overlook the importance of these security warnings.
While most of us understand the importance of keeping our information secure at workplace, we also tend to think that a bad incident will not happen with us.
In the last couple of years industrial systems are getting more intelligent, the software part more complex and the way to keep them protected is raising concerns. Patching and software updates within those traditionally closed systems are now a requirement raising concerns at information security department level.
The main purpose of these scams is to collect account passwords, credit card number, information containing financial data, or any other information such as name, address or date of birth to commit identity theft. Even though awareness about phishing has grown in the recent years, it is still a very much successful way of scamming.
If you have had the chance to deliver security awareness trainings, you have probably struggled to keep the audience engaged throughout the session. Most of the learning that employees get through conventional methods tend to have shorter retention spans.
It has been reported that in Europe, about seventy percent of the people use internet on a daily frequency. In all different aspects where internet plays its role, the information and management systems which are based on internet are most critical both in terms of their use as well as their data integrity and security.
General Data Protection Regulation requires businesses and organizations to secure the personal data of EU citizens for any transactions taking place in the EU member countries.
The Article 39 of GDPR specifically lists the tasks of the Data Protection Officer. Section 1B of Article 39 puts the responsibility on the Data Protection Officer DPO to create awareness and provide training to the staff that is involved in processing operations.
Inappropriate use of storage media containing sensitive information, wrong handling of confidential data or insecure email usage, failure to follow storage requirements depending on data classification are topping the list of security risks any organization is exposed to.
In most of the cases this kind of errors are far from being deliberate actions.
The success of a security awareness program is proportional with the motivation level of the participants, involvement and the way the information disseminated through different channels is assimilated.
Like any other type of course, higher levels are general and treat broader concepts.
In the security awareness program design phase, we have to keep in mind to bring in front of our audience an extensive coverage of the security threads spectrum.
Starting with widely applicable aspects and topics and also taking into account the security policy, it would be preferred the materials to be presented in an intuitive and clear form.
Metrics can be an effective tool to measure the success of a security awareness program, and can also provide valuable information to keep the security awareness program up-to-date and effective.
The metrics used to measure the success of a security awareness program will vary for each organization based on considerations such as size, industry, and type of training.