Why Security Awareness?

MX Logic has announced that we will be joining the National Cyber Security Alliance (NCSA) to actively promote awareness of internet safety and security issues in conjunction with National Cyber Security Awareness Month (NCSAM) during the month of October.

As such, I have pledged to devote a series of blog postings this month to assist with the development of a Security Awareness Program within your organization.

Before we get into the meat and potatoes of developing a Security Awareness (SA) program, the question one must first answer is "Why should I implement a security awareness program? Aren't security programs for the Techies?" This is an excellent question, especially for organizations who might not be anything Information Technology related.

The answer to that question is that no matter what field you are in, security should be a part of your organization. Security doesn't just mean making sure someone doesn't hack your web site or that your computer doesn't get infected with a virus. The concept of corporate security also involves physical security of your office as well as data that you might be storing there.

Let's use a car repair shop as an example. Should they be concerned about security? Absolutely! We'll put aside for the moment that a car repair shop may have thousands of dollars of inventory sitting right in their main lobby area (tires and the like), but where the real money is to be had from a thief's perspective is from the customer records. A car repair shop has customer lists with customer names, addresses, phone numbers, and potentially credit card numbers. If this information isn't properly secured by the shop, your personally identifiable information could be at risk.

As organizations, who are we trying to defend ourselves against? From a technology perspective there are virus writers, hackers, spammers, etc. Those are a given. Data and physical property thieves are also a risk. What are companies doing though to protect against their internal employees? As much as you want to believe that everyone that works for your organization is there to advance the progress of the company, a 2006 E-Crime Watch Survey reports that insiders were responsible for 27% of all security incidents. More than 1 in 4 security incidents (either accidental or intentional) were the result of an employee at a company obtaining access to information that they shouldn't have had access to.

Why is that? For starters, it is easier to get information. The higher up you are in an organization, the more critical data that you likely have access to as part of your normal network access levels which means that your potential risk to a company is also much higher. Why break into the house to steal the jewels when you are already in the bedroom?

Over the next few blog entries we'll go into some more detail on what the goals of a successful SA program should be, some of the inherent challenges that come along with the implementation of such a program as well as steps that you can take to start implementing a security awareness program at your organization. Different types of companies have varying requirements for security (Do you have servers? Do you accept credit cards? etc), but the discussion can certainly be made general enough to apply to everyone.

Hopefully over the rest of October the information that is presented here will be of use to you and will help jog some thoughts of your own on how a security awareness program could work for you.