We have all been there. We are sitting at our desks, doing our work and the email pops up. Usually from our IT Department or our boss, the email tells us that we need to complete our annual Security Awareness Training within the next 2 weeks. What's the first thought that goes through your mind? If we are being honest with ourselves, that first thought is usually something like, "Ugh, why do we have to do this? Don't they know that I know how to work a computer and keep our information safe?" But do we? Do we, as individuals working for companies, know how to spot a suspicious email? Do we know what do when someone allegedly from our IT Department calls us to tell us they need to install software on our computer remotely?
We all hear about phishing emails. All the time. In fact, there is a never ending dialogue about phishing emails in the news, the most recent one being the IRS emailing to say that you owe them money and they are going to arrest you if you don't pay immediately. As a side note, this is not true, so don't fall victim to the scam. Or the instance where one of my relatives clicked on a link that they shouldn't have and had their computer become infected with ransomware, demanding that they pay $500 through a gift card to get access to their computer back. And who can forget the Nigerian Prince who needs to send you money immediately due to their lottery winnings and for some strange, unknown reason, they have picked you to share it with! Well I have some great news for you folks out there - Even the people "in the business" get targeted too, and today that target was me!
Security or Compliance. Which one should we focus on? On the surface, this almost sounds like the question of which came first, the chicken or the egg. But if we dig deeper, we start to see that while they are similar and have similar goals, they can be very different in how they are implemented and what that means for the culture of your organization. I know that this sounds a little strange to compare Security and Compliance to culture but trust me, it will all make sense (I hope).
Without a doubt, almost every type of IT audit contains a section on security awareness training. And in many companies, it is a weakness that can be exploited easier than trying to hack a firewall or compromise a server. In many cases, it can be as easy as sending an email or making a phone call.