What is security awareness?
Security awareness is the knowledge and attitude that members of an organization possess regarding the protection of the physical and informational assets of that organization.
Why does it matter? What would happen to your company if your biggest competitor got your list of customers, procedures, or policies? What if a malicious person gathered personal information about your employees or customers? All companies should have a security policy in place (with a yearly review) and awareness training scheduled regularly.
Let’s define the types of threats you might experience today:
- Many threats are engineered internally by employees.
- Companies never realize they have been breached internally.
Social Engineering / External threats
- Someone with a clipboard or equipment bag is unchallenged as he walks around your building or office.
- Holding the door open for a “visitor” is a common way for someone to access your building.
- E-mails sent to you that may be malicious.
- Always check the English! Malicious emails are often written with poor English / grammar.
- Malicious websites
- Phishing, impersonation, pharming (redirect Web traffic).
- Phone calls asking for information.
- Insist on a callback number and call back for suspicious calls
Passwords / Credentials / Web
- Should be complex/strong and changed regularly.
- When possible, two-factor authentication should be used.
- Never give out your password, even to a superior.
- Never send passwords / login info via e-mail or IM/text.
- Never write your password down.
- Never reuse passwords, or add a number after them.
- Report any attempts to get password to Information Security Officer.
- Never use default passwords on anything electronic.
- Web Browsing
- Always look for the “https” or lock icon in your web browser which indicates a secure website if you are required to release sensitive information (ex. banking websites, payment websites, etc.)
Documents / Printouts
- Sensitive Printouts
- Shred sensitive documents.
- Keep others under lock and key.
- Unused network jacks should be disabled. (This prevents someone from plugging in to your network.)
- Wiring closets and server rooms should be locked and have logged access.
- Wireless should be secured with the most current encryption.
- Your Computer
- ALWAYS lock your PC when you’re not using it.
- NEVER log someone in to their PC with your login.Your Computer
- Only use personal equipment at work if a bring-your-own-device (BYOD) model is in place.
- NEVER allow friends/family access to work devices.
Keeping a Low Profile
- Do not make yourself a target.
- See: http://www.pcmag.com/article2/0,2817,2487283,00.asp(This company made themselves a target.)
- Don’t list company shutdowns or outages on social media.
- Use a dummy e-mail address to sign up for things.
- Don’t tell the world about your vacations. Break-ins can be geared towards getting company info/equipment.
Media Containing Sensitive Data
- Keep media encrypted.
- Never bring unencrypted media out of work.
- Never leave sensitive media unattended or unlocked.
Reporting and responding to an incident
- Report ANY incident to the proper management personnel or Information Security Officer (ISO).
- Take appropriate screen-shots and record pertinent information.
Most important: Be AWARE
- Use common sense. If you weren’t expecting an attachment in your email about a UPS package, don’t open it!
- If you receive an email asking for your credentials to any website, don’t provide them.
- Accept the fact that there are malicious people doing malicious things. If you approach I.T. with an eye towards security, you stand a much better chance of not becoming a victim.