• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Internet Safety   »   Information Security: It’s a Journey

Information Security: It’s a Journey

  • Posted on:October 1, 2014
  • Posted in:Internet Safety, Security, Web Threats
  • Posted by:Rik Ferguson (VP, Security Research)
0

It is certainly a truism to say that an organisation’s weakest point is its own employees. It could be argued that because this has been said many times by many people, because it offers no new insight then it is of little value to state it again. Such is the nature of a truism.

However, the situation where the first line of defence is also your Achilles Heel is one so unique and so important that it deserves constant attention, not cynical acceptance.

There is much that enterprises, both large and small, should be doing to mitigate the risk posed by well-intentioned employees who are simply trying “to get the job done”. Equally, employers also have a duty to keep abreast of developments both technological and criminal, in order to provide effective training.

Organisations need to make sure they understand the threat as it really is today, not as they think it is. They need to make sure their users are educated to use the Internet and corporate resources from a position of awareness and caution rather than blind trust in a technological solution. Employees should be aware of how invisibly compromise can occur and where to go if they are concerned.

Equally, people need to be made aware of the real monetary value of their own and other people’s personal information and to treat it with the care it deserves, rather than offering it to any curious onlooker through social and professional networking, blogging, telephone calls, bogus surveys and more.

Currently most corporate information security training initiatives are only visible to a new employee. As a new hire, you are handed all the relevant policies to digest and to sign. The problem is that this is often a one-time event, three months or three years down the line, not only are employees expected to remember the practical application of the policy, but also the lack of revisiting the policy assumes that the threat or technological environment itself has not evolved.

Education, particularly in the realm of information security, should be a process, not an event. Ideally, it should also be fun and engaging, making sure that security is always at the forefront of the enterprise mind-set, whether in work or outside. Good information security practices should extend beyond the perimeter of the workplace, as actions at home, particularly in the age of BYOD and Consumerisation, can have serious repercussions at work.

Information Security training can be a difficult subject to bring to life for a disinterested audience; many important lessons can be learned from the marketing, creative and web content parts of your business. Security training is not an initiative for just the security team; it is one where multiple areas of expertise must work together for real success.

The concept of gamification, or the use of game design techniques to enhance non-games, is one that can be successfully applied in the area of security training.  Divide your workforce into functional or geographic teams; deliver the same training to the workforce on a staged basis, prolonging the initiative through time. Devise league tables to bring out the competitive side of your employees, and challenge them with a series of unexpected tests; mystery callers trying out social engineering techniques, attempts to establish friendships on social networks, phishing email campaigns designed to ensnare the unwary for example. If your workforce has been forewarned that there is an on-going practical element to the training, and that their security radar will be constantly tested, it will only serve to heighten their general security awareness. Achievements and awards can be earned on an on-going basis and the motivation can be built to keep security at the top of your list when going about your everyday business.

It’s not about punishing or otherwise those individuals or teams with the lowest scores; it’s about creating a culture of security where every employee is more aware of the consequences of their actions, even when those actions seem entirely innocuous at the time.

Information security is not a destination, it’s a journey.

 

During the month of October, we’re supporting the National Cyber Security Alliance in celebration of Cyber Security Month – an effort that aims to educate organizations and individuals about how to stay safe online. Check out the helpful videos, infographics, blog posts and reports we’ve gathered for you here. 

Related posts:

  1. Mapping the Journey to GDPR Compliance: Who’s got the wheel?
  2. The Human (Resource) Role in the Journey to GDPR Compliance
  3. Sharing the Journey to GDPR Compliance
  4. Buckle up: The Importance of IT security on the GDPR Journey

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.