Valeri (Val) Loukine is a Cyber Security Evangelist and a member of the office of the CTO with Check Point Software Technologies. He is also a blogger, a world traveler, and a biker.
With more than 20 twenty years in Information Security, Val helps hundreds of customers around the globe to overcome security challenges, counter threats, and build efficient cyber security architectures. Since 2018, Val has been leading the Check Point CheckMates community activities in EMEA and APAC.
In the second interview of our two-part series, Val Loukine discusses how organizations can raise the bar when it comes to security awareness. Did you miss part 1 of this series? Click here.
How should organization approach cyber security awareness?
VAL: When talking about security awareness within an organization, there are two distinctive points of view. We need to contemplate how both high-level executives and regular workers perceive cyber security. Let discuss both cases.
Management and business leaders often treat cyber security as an onerous aspect of their risk management strategy. From their perspective, cyber security is an expense, not a key business asset. Execs may also see cyber security as an obstacle; something that slows down business processes and limits the agility and flexibility of the business.
With such views, it is very tempting to reduce cyber security roles in an enterprise to a variable in a financial calculation. When this occurs, risks are downplayed or underestimated, resulting in a bare minimum set of security measures, as required by compliance regulations.
Sometimes, cyber security decision-making can stray from common sense. I have participated in conversations with high-level executives when they’ve refused to discuss potential APTs in their environments, or events to help search for potential security breaches. Their position has been, “unless there is an obvious indication of malicious activities”, in their own words, let’s not bother.
For a security professional, it is pretty obvious that when those “obvious indications” surface, it’s already too late to counter the threat and one will need to fall back on disaster recovery and crisis management measures.
In contrast with upper management, regular employees are mostly concerned with daily routine tasks, and think little or nothing at all about security.
Both high-level management perspectives and the employees’ view points should be addressed via educational, technological and organizational initiatives. By the end of the day, all people in the organization should have a good understanding of security hygiene, protective measures and the most common attack vectors.
To ensure this, we need to leverage a series of diverse mediums and resources: lectures, workshops, and other education activities, reinforced by practical exercises, stress and penetration tests.
What types of security awareness initiatives are critical for newly remote workers?
VAL: For remote workers, the focus should be shifted to address use of non-managed devices and the access of non-authorized people –family members, kids and friends– to work tools.
Overall, we need to address the usual attack vectors related to human exploits: phishing and vishing, social engineering, unauthorized access, soliciting of confidential information, unsanctioned use of unmanaged devices in the company networks, etc.
How frequently should organizations launch security awareness trainings?
VAL. Repetition is the key. If you are just starting out, run a large campaign for a month that consists of multiple lectures, seminars and workshops. Subsequently, conduct tests and survey.
If you already have that done, maintain awareness seminars at least twice a year. Controls and stress tests should also be done at least once a quarter, with pen-testing at least once a year.
In what ways can employee security awareness trainings increase customer confidence?
VAL: Customers favor organizations that they can trust.
For example, my bank sends me security awareness materials regularly, pointing out the necessity of vigilance, as well as debriefing me about common fraud and exploitation techniques. This definitely helps in maintaining my confidence level with the bank.
If in charge of security awareness initiatives, I would also add information about internal organizational measures designed to raise employees’ security awareness levels. I want to know that my data, assets and private life are secure not only by technical means, but that other measures are also in place to assist with security.
Did you find these interviews informative? Check back for more exclusive interviews with high-level industry experts, only on Cyber Talk.