Shulou(Shulou.com)06/01 Report--

Preface

Within the enterprise, human error and lack of systematic network security awareness are the primary causes of enterprise data leakage and security threats. At this stage, although network security awareness has made great progress in training, there are still many enterprises that do not put network security training in the first place, therefore, emphasize the importance of network security awareness and effectively achieve this, there is still some work to be done.

1. Obtain high-level authorization for security awareness training

Wombat Security's Egan says security experts are often so obsessed with the details of an ongoing project that they can't look at the big picture. For example, security experts will tell CEO that 15% of employees still click on phishing software, and that no matter how hard security experts try and employees' network security awareness is not raised, the network security risk faced by the enterprise cannot be zero; the important thing is that these numbers do not make any sense to CEO. Let's put it this way: it's best to tell them that companies can reduce security risks and security repair costs through security awareness training. This is the result that the top management wants the most.

two。 Strengthen safety training for personnel in special positions

Tom Etheridge (Tom Etheridge), vice president of services at CrowdStrike, says companies should use security awareness training as a checklist. From the executive board and executives to the senior leaders of the finance team and purchasing department, they all need to participate in the professional cyber threat training organized by the company.

These people have special positions and have special access to information on many personal computers and corporate servers, so they are high-value targets in the eyes of cyber criminals.

Security experts need to provide security policies so that cyber criminals can learn how to use tools such as two-factor authentication and encryption, as well as the appropriate steps to take to protect physical assets (computers, etc.) when traveling.

3. Raise the awareness of information security, starting from the leadership

Generally speaking, when management begins to pay attention to network security, employees will also be driven to take corporate information security policies and standards seriously and consciously avoid the threat of fraud and data disclosure.

Security experts pay more attention to those who provide funding and support for security awareness training. In other words, the company's decision on whether to provide safety awareness training to its employees is mostly in the hands of their immediate leaders. Therefore, as long as it is approved by the leaders, the staff's security awareness training can be carried out normally, and the team's network security awareness can be effectively enhanced.

4. Companies should look for natural leaders

Wombat Security's Egan says many companies are not considering setting up a special unit for security awareness projects. Security experts can look for natural "leaders"-they may or may not be technicians, but they are the protagonists of parties at company parties, or they always speak at company-wide meetings. Make them proponents of the company, and they will convince others that security awareness is important to the continued building of the company's network security.

5. Safety awareness will be used as a skill throughout the employee's career.

Of course, security awareness training will make the company safer. However, security experts and human resources staff did not mention other broad benefits. For example, security awareness training for employees can indirectly help their parents avoid some routine network security damage and minimize losses. These elderly people who are old but do not understand computers can maximize the fun brought by advanced Internet technology in a world full of network security threats.

We may not realize that security awareness is no longer just a business issue, but a modern life skill issue. The human resources department needs to emphasize the content and importance of training when recruiting new employees. This will be a skill that every employee can carry with them throughout their career.

6. Enterprises hold attack and defense drills to improve their defense capabilities.

Many companies send phishing emails to their employees for internal testing to see what happens. But before doing any testing, they need to consider the type of attack they use, how to group phishing users, and so on.

CrowdStrike often works with companies to test phishing at specific times to observe the performance of its employees. Based on widespread phishing, he said, it may be to facilitate compliance purposes or to assess the effectiveness of companies adopting cyber security policies, but this does not test the true defense capabilities of companies. Therefore, if the company has the conditions, it can conduct a red-and-blue competition, effectively improve the offensive and defensive level of technicians, and finally explain to senior executives how the security team can deal with security issues more effectively.

Whether the enterprise's network is secure or not, employees' awareness of network security is a hurdle. Only after passing this hurdle, can we lay a solid foundation for enterprise network security and effectively reduce network security risks such as data leakage.

This article is reproduced from Jinri Toutiao "e-an Education".

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.