Security awareness month

Since October is cybersecurity awareness month in the USA, we've seized the opportunity to update SecAware.com with additional information on our security awareness material. 

SecAware's information security awareness modules explore a deliberately wide variety of individual topics in some depth:

• Application security - this module has just been thoroughly refreshed reflecting changes that have occurred since it was born in 2010 and updated in 2013. It's as fresh as a spring daisy.
• Assurance - concerning the purpose and value of various forms of security checks, tests, evaluations, assessments and audits.  Nice to know.
• Business continuity - 'keeping the lights on' involves securing and maintaining various information processes, systems and flows.
• BYOD & IoT - both areas involve aligning the organisation's objectives with workers' personal interests, securing the seething muddle of portable IT devices while enabling their use for legitimate business purposes. 
• Cloud security - securing someone else's computers and networks you could say.  Cloud is a high-stakes game with big payoffs and deep lows.
• Compliance & conformance - fulfilling legal, regulatory, contractual, organisational and ethical obligations or requirements in the general area of information security, governance, safety and privacy. 
• Cyberinsurance - sharing (not transferring!) particular information risks with insurance companies, under specified conditions, for a fee. Beware the small print.
• Cybersecurity - a challenging topic, this , since there is little if any consensus on the meaning or scope: is it simply old-skool IT security, Internet security, protecting critical infrastructure against devastating attacks, all the above or something else? We're still not entirely sure.  
• eForensics - incident responders need to understand their critical role in securing evidence that may later be needed in court, while other workers should appreciate the painstaking effort required to gather, secure, analyse and present digital evidence that may one day incarcerate - or indeed exonerate - them. 
• Email & messaging - extremely valuable business and social tools with substantial information risks and vital controls.  Have your people text my people, will you? 
• Hacking - discovering, exploring and exploiting vulnerabilities in networked IT systems and the people who use and administer them is an obsession for bright sparks, social misfits and spooks alike. 
• Incidents & disasters - being ready to respond effectively and efficiently to incidents at the earliest opportunity will hopefully prevent them becoming complete disasters, but hope is not exactly a sensible strategy! 
• Information protection - blends information risk management and intellectual property protection with knowledge management, covering aspects such as information classification.  For your eyes only. 
• Insider threats - aside from bad apples and rotten eggs, inept, over-worked, stressed-out and coerced workers are fact of work life.  
• Intellectual property - copyright, trademarks and patents are the tip of an information iceberg: a lot of proprietary and personal information is just as valuable, especially big lots of it - databases, business records and the accumulated expertise of the workforce. 
• Internet security - the Interwebs, where would we be without them? Shall we find out? If various crackpots have their way, we may discover the fatal flaws in our cunning plans to remain online, despite everything. 
• IoT security - rapid innovation and the proliferation of naive-consumer-grade devices threatens to overwhelm our homes and workplaces with a tsunami of eJunk, unless we ride the crest. 
• Malware - malicious software has a   l o n g   history, and we're not even approaching the final chapter. Although the Greeks' wooden horse offered to the beseiged city of Troy pre-dates the digitals, the techique remains effective today.
• Malware incident - workers' prompt reactions to the earliest signs of malware infection can make all the difference, hence noticing the signs and knowing how to react are important awareness objectives.
• Misteaks, erors & acccidents - death by a thousand cuts caused by leetle typos, miscalculations and other seemingly trivial issues that, collectively, amount to a huge societal problem impacting integrity, plus availability, oh yes and confidentiality.  Oh oh. 
• Outsider threats - defending against miscreants and 'threat actors' from beyond the organisation's fast evaporating boundary, when moats and drawbridges no longer suffice.
• Oversight - an innovative module covers the management control, and those vital steps missed due to corner-cutting or ignorance.
• Passwords - passwords and security tokens are the manifestation of identification & authentication, important control concepts for confidentiality, integrity and availability, again.
• People aspects - can't live with 'em, can't live without 'em! A module about people protecting people against people. 
• Phishing - an obvious awareness topic, yes, but clearly not the only one.  If phishing awareness is the limit of your efforts, you evidently have much to learn, glasshopper. 
• Physical security - stealing, damaging, mistreating or allowing harm to befall tangible information assets can totally undermine all those high-tech cybersecurity controls.  
• Portable device security -  short of supergluing them in the vault, what can be realistically done to secure the swarms of ICT devices busily invading our work and home lives?   
• Privacy - just as we cling to the remaining vestiges of our privacy, so those whose personal information we access at work expect us to protect their interests, oh and stay out of jail.  
• Ransomware - give us your bitcoins, mister, or the database gets it! 
• Resilience - bending rather than breaking under strain is something that startups and mature organisations manage naturally, but what about those in the difficult teenage and middle ages?   
• Security culture - an altogether more civilised approach to information risk and security involves everyone, spanning the janitor's basement closet to the executive penthouse with the plush carpet and obsequious flunkies.
• Security frameworks - security maturity climbing frames, complete with ladders and rope swings.    
• Social engineering - a dual-use technology, part control, part threat.  
• Spotting & reporting incidents - the incident management process snoozes quietly in the corner until prodded by someone reporting a noteworthy event, a near-miss, 'something amiss' or a crisis threatening to shake the very foundations.  Wake up!  Wake up!  Stuff to do! 
• Surveillance & monitoring - snoops and spooks walk among us, largely ignorant of the amazing capabilities of the surveillance equipment in their pockets or controlling their TVs.
• Working from home - this movement looks likely to outlast COVID by a long chalk ...
• Workplace security - ... and yet, at the same time, city centres and industrial areas are as busy as ever.  What are all those worker bees up to?  Should we be concerned?

In contrast to the deeper topic-specific stuff, InfoSec 101 is a special multi-topic superficial module designed for basic awareness/training purposes such as new worker induction/orientation courses and periodic refreshers. The idea is to bring new recruits rapidly up to speed on the organisation's overall approach to information risk and security, cybersecurity, privacy and so on, and remind old hands, making the point that this stuff is and remains important to management. It's an introduction, a general taster for awareness and training activities that we hope will follow periodically for as long as workers remain employed.  Rolling/continuous awareness programs are the secret sauce that security conscious orrganisations lap up while the Great Unwashed seemily get by with infrequent/sporadic bursts of enthusuasm, punctuated by long periods of total disregard, evidently accepting the risks presented by an ignorant, uncaring, blasé workforce far too busy paddling to notice the rapids ahead.  Harrumph.

Before I step down from my crate, I'll just mention that security awareness is valid and valuable for everyone in the organisation, not just "end users". We offer streams of relevant content specifically designed and written to appeal to managers and professionals in information risk, security and related specialisms, in addition to the fairly basic and generic guidance for ordin'ry folk. As well as 'them', we care about 'us' too. Provided our esteemed leaders truly appreciate the business value of information risk management, governance, compliance and all that, information security is less likely to be the much-neglected poor relation, left to rot in a dark corner. If assorted pro's take account of information risk and security, designing, operating and maintaining appropriate controls as part of their daily grind, they - and we - are less likely to be held to account for negligence and ineptitude. 

Think on, CISO, think on.