Security Awareness Month Spring Cleaning

Nick Santora | October 2, 2018

October means it’s that time of year again when we recognize National Cyber Security Awareness Month. During this month, we celebrate cyber security and help promote awareness to businesses across the world. It’s so great to see the elevation of awareness across our nation during this time of the year. There are a lot of activities to think about during this month and you might experience information overload from the amount of content being shared about cyber security. So through all the noise, what should you really be focusing on?

Register below to win a full year of FREE security awareness training from Curricula.

Win Free Security Awareness Training

What you have to realize is that this month should be celebrated by bringing awareness to everyone, but it doesn’t stop there. Cyber security is a long game and there isn’t a quick fix. Cyber security month isn’t about building a plan to keep your company as safe as possible for one month, but rather, it’s about keeping our companies and our people protected year-round.

Across your entire cyber security program, security awareness is the element often overlooked. Think about other areas you focus on, such as patch management, software upgrades, antivirus, network monitoring devices, and the list goes on. We always seem to be on top of software and hardware maintenance, but for some reason we tend to neglect our people that run the organization and their cyber security education. We look for the quick fix and resort to just giving a presentation at the end of the year to say we did something. But something is not enough. People aren’t firewalls. People are people. Just like other areas of our program, we need to understand how employees play a major role in protecting our organization from threats.

We know that employees are a big part of cyber security strategy in our organization, so what should we do to promote cyber security?

“Security

What is Security Spring Cleaning?

This month is dedicated to building awareness at all levels in your cyber security program. We have to get everyone talking about it. From the board room, down to the front desk, cyber security should be on everyone’s minds. We all see the breaches almost daily in the news and want to do what is best to prevent these types of incidents. But without a plan, this is going to be an uphill battle to get anything done. Using this month as spring cleaning for your cyber security program has such great purpose. It’s time to get out the vacuum and lift up the couch cushions. Everyone needs to help.

Start by creating a plan, just like you would when cleaning a house. For example, what assets and services are most critical for your organization? Get people talking about the concept of security to make sure they are protected. In short, if these services go down, your business stops. Next, make a list of the different ways you are currently protecting those assets or services. It’s amazing what this exercise will do if you can get a team into a room to just start chatting. Forget the day to day and just for a moment talk about some real-world situations that could take place in your very own company. The point here is to get everyone talking. Making the conversation relative is when the concept of security really starts to hit home.

As an example, let’s imagine you are a startup running a web application. What are you doing to protect that web application? It is probably hosted out on a cloud environment, so what protections are in place? Do you have multi-factor enabled? Who has access to that infrastructure and why? What other services do you rely on to keep the app running? What vendors are involved? What if something went wrong? All of these types of questions start to open up the conversation and really get into the “tough to clean” spots of your business.

Another example is to look at personnel security. Do you currently have security awareness training for employees in place? What does the strategy look like as far as planning, content strategy, delivery, and feedback? Are you running phishing training exercises? Are we focusing on any risks that have been identified in the organization from a security point of view? Security awareness training is only as good as the processes and procedures you have put in place to help protect your employees. If you don’t follow the best practices as an organization, the program will fail.

The larger your organization is, the more you need to protect. That’s okay. Start small and stay focused on identifying your risks first, rather than trying to fix them all at once. Think about the example of cleaning up a house. You have a plan and maybe start with the kitchen first, then move to the bathroom, bedrooms, and so on. Let’s not sweep things under the rug and stuff things into the closet. That is just a temporary fix. Building out an effective cyber security program takes time, effort, and resources to focus on the end goals.

Enjoy security awareness month as a way to spread cyber security knowledge across your organization. There are so many great ways to communicate with each other, share expertise, and get everyone talking about protecting themselves at home and at work. What else? What are you planning to do this month to share your knowledge with the community? Better yet, what’s your plan to continue this momentum and make cyber security a priority for your employees?

Author: Nick Santora
  • Nick Santora

CISSP, CISA, Chief Executive Officer of Curricula.