A security awareness program is a formal program with the goal of educating users of the potential threats to an organization and how to avoid situations that might put the organization’s data at risk. Employee training is a big component.
The goals of a security awareness are to reduce the organization’s attack surface, to empower users to take personal responsibility for protecting the organization’s information, and to enforce the policies and procedures the organization has in place to protect its data. Policies and procedures might include, but are not limited, to computer use policies, Internet use policies, remote access, and other policies that aim to govern and protect the organization’s data.
In information security, people are the weakest link. People want to be helpful. People want to do a good job. People want to give good customer service to their coworkers, clients, and vendors. People are curious.
Social engineers seek to exploit these characteristics in humans. Social Engineering is defined as the process of deceiving people into giving away access or confidential information. The only known defense for social engineering attacks is an effective security awareness program. Unless users understand the tactics and techniques of social engineers, they will fall prey and put the organization’s data at risk.
Related article:
Cultivate a stronger corporate culture to enhance cybersecurity