The responsibility for securing organizational data has spread beyond the traditional IT professional. While there are more diverse security solutions, there are more diverse and sophisticated security threats. Security awareness and training is essential for everyone within an organization. Learn how Cisco has continued to evolve its security solutions and training.
We've all seen the news pieces where the FBI or the Department of Homeland Security talk about security, and how anyone who sees something suspicious should report it to the local authorities. The Department of Homeland Security has been promoting the security awareness campaign, If You See Something, Say Something.
After the 9/11 attacks and subsequent terrorist incidents, it became clear that the public needed to increase its level of awareness and proactive response to suspicious activity. In essence, every citizen is being asked to be an extension of the security apparatus. The logic being that the more sets of eyes that are looking for suspicious activities, the increased likelihood of stopping an attack before it occurs.
It's no different in the world of information security. Security is no longer the purview of those individuals who have been specifically trained to install, configure, and monitor firewalls, intrusion detection, and prevention systems and advanced malware protection. Everyone in the IT shop (e.g., collaboration, mobility, storage) needs to have a working knowledge of security threats and the tools available to help mitigate those attacks.
Attacks on private networks have increased in persistence and sophistication. The days of the lone hacker sitting in a basement trying to break into the Pentagon's database for fun are over. Today, there are teams of individuals, both state and privately sponsored, whose sole purpose is to break into corporate or government networks and either steal sensitive data, or deploy malware that will bring those networks to their knees. That malware can be planted into a system and lay dormant for weeks, months, or even years before becoming active.
These facts have changed the security landscape from one of simply detecting threats and preventing network access. Today we have an attack continuum, where protection is required not only before, but during and after, an attack. During the attack, the goal is to limit the impact of the attack. After the attack, data from the intrusion is analyzed and used to prevent future attacks. This continuous feedback loop requires additional resources over the traditional model, and not only resources specializing in security.
Even employees who are not part of the IT staff need to understand their role in protecting sensitive information. Maintaining even the most rudimentary security practices (securing laptops, etc.) can go a long way to preventing security breaches. While convincing sales people, clerical staff, and engineers that they play a pivotal role in securing company data may be a challenge, without it there are significant holes in the company's security profile.
In other words, security is everyone's business. In this paper we are going to look at security awareness in organizations, types of security threats, security in Cisco training, and Cisco security solutions.
Security Awareness in the Enterprise
Enterprise Management Associates (EMA) conducted a survey of more than six hundred people (non-IT and non-security staff) entitled Security Awareness Training: It's Not Just for Compliance that revealed more than fifty-six percent of corporate employees had not received security or policy awareness training from their organizations.
This is a problem because without training, people will do the same things at work that they do at home, only the consequences of their actions can be much more damaging. Clicking on a link in an email can release malware that can infect hundreds of machines in seconds, or open up a path for data theft. These individuals don't even know they're doing anything wrong until someone points it out to them.
Companies need to educate all employees about security threats that they can utilize not only in the workplace, but at home as well. This will allow employees to establish solid security habits that become the rule rather than the exception.
The same EMA study showed that employees have some very bad habits when it comes to security:
- Thirty percent leave mobile devices unattended in their vehicles.
- Thirty-three percent use the same password for both work and personal devices.
- Thirty-five percent have clicked on a link contained in an unsolicited email.
- Fifty-eight percent store sensitive information on their mobile devices.
- Fifty-nine percent have admitted storing work information in the cloud.
The lack of security awareness is obvious. Some basic training that makes all employees aware of their responsibilities towards security can prevent future breaches.
This is a quote with no author, no job title and no company.