Security Awareness – A Tale of Two Perspectives
Meet Bob, who works in Anytown, USA as a loan officer and has been with the company for about nine months. He loves working for DollarBank, takes pride in his work and has a strong motivation to do a job well done. Bob does everything that is asked of him and completes every assignment on time. He understands there is a security awareness program but doesn’t know exactly what’s expected of him. Bob thinks Information Security is a dull topic and he loses interest quickly. Work is too important to pay too much attention to security issues. He sees some Intranet posts about risk scores but doesn’t have time to read them. He has completed some of the security awareness training, however he sometimes wonders if all of it really matters. After all, he found the training boring and disengaging. The phishing tests are good and sometimes hard to detect, but he’s gotten used to the phish-reporter button, so he relies on it wholeheartedly to report suspicious emails. Lately, though, he discovers that he’s submitting more false positives all the time.
Insecure Mindset
Bob has never been a security minded person and often leaves his doors unlocked at home when running errands. Years ago, his car was broken into in a department store parking lot. As a result, he now keeps his car locked all the time. Nowadays, Bob works from home with his wife and three kids who are being homeschooled. He’s been hearing that he needs to secure his home network and has tried many of the steps, but his kids keep changing configuration settings trying to get their own devices and zoom meetings to work so they can connect with their teachers and classmates. The Internet goes down… He connects to his work phone hotspot to continue working and is presented with an enticing email about how to work from home securely. Without thinking, he hovers his mouse over the link…
Security Awareness Mindset
Then, there is Alice, a staff accountant, who struggles to find the time to do the security awareness training. She knows it’s vitally important to keep data safe, so she’s highly motivated to do as best she can on all the courses and tests. Alice notices the security awareness posters which were put up in the office kitchen and break room area and takes the information to heart, making a point to slow down and carefully read and analyze each email arriving in her inbox. Alice recalls the last security awareness training course as somewhat engaging and highly informative, but many of the concepts didn’t stick. She feels as though shorter, more frequent reminder training with a bit of lighthearted situational themes would be more effective and help her retain the information better. Even though she sometimes struggles to complete training and spot the red flags on tests, she is very consistent when it comes to reporting suspicious activity and completing all training. Alice exclaims, “I got scammed out of $1K years ago, and so I’m always looking over my shoulder now. I take it really seriously!”
It’s been many months since the last training, and she is getting nervous she will soon fail a phishing test. As she reads more news articles about cyber-crime and big company breaches, she knows that all businesses are vulnerable and wants to do her part to help keep the organization’s information assets safe. She knows the phish-reporter button well, but also knows to call the helpdesk when noticing something suspicious.
Compromised
One day, Alice receives an email from Bob, who works in lending. Bob’s customer, a small vineyard in Virginia, needs additional funds wired to their account. She recalled the last security awareness training topic was on wire fraud, but also carefully examined the email and noticed some obvious red flags. Following protocol, Alice called Bob directly to inquire. Additionally, reported Bob’s email through the phish-reporter button and called the helpdesk.
So, which user clicked the link? Yep, Bob is da man! Downright Dangerous! Although Bob knows a lot about security, he doesn’t care to pay enough attention to it. Alice is highly motivated to do the right thing but often lacks the ability. However, in the real world, she has consistently foiled several attempted wire fraud events and even a physical security incident! When we can consistently shape human behavior to do the right thing and to care about security, then we’ve arrived at the transformation stage of security awareness.
Learn all about online safety basics provided by the National Cybersecurity Alliance!
Contact 2Bware today for tips and advice about how to get prepared. Often, developing a solid security awareness program is a crucial first step. It’s not too late until after disaster strikes.