Cybersecurity: How to Improve Security Awareness

The very first time I came across the security topic was in 1993 when I stumbled on TIS Firewall Toolkit, and I tried to configure it on the Solaris systems that my employer at that time used. Information technology has grown by leaps and bounds in the past 30 years, which has simultaneously increased the need for information security. During these 30 years, I have managed various aspects of information security across three continents at companies of different sizes ranging from five to 300,000 employees. Meanwhile, the global market for information security has grown to $202.72 billion and is projected to expand at a compound annual growth rate of 12.3% from 2023 to 2030. 

Two questions remain, though: what is information security and how can we improve awareness? 

Security is more than an investment into software   

Information security is generally seen as a bunch of tools and technologies that help safeguard a business and meet regulatory requirements at different layers. People use various terms to describe the aspects of information security, such as layered security and defense in depth. But the fundamental question remains. As we all know, money doesn’t buy love, and it doesn’t buy information security, either. There was a case where a company spent more than $200 million on cybersecurity and still experienced a hack that compromised the accounts of 76 million households.  

What I have learned over the years is that security is simply a concept, attitude, and way of life, rather than a bunch of tools and technologies. The fundamental threats to information security come from humans -- insiders and outsiders. Unless security is woven into the fabric of an organization, it is not going to work at all. This raises the question of how much time and effort we spend on improving awareness and educating the users. When employees are better educated and aware of existing and upcoming threats (malware, phishing, smishing, whaling, generative AI tools, social engineering, etc.), the organization will be in a good position to manage the risks.  

Businesses continue to focus on approaches to information security such as zero trust, but they won’t be effective unless the people who are using them will be aware of what are the threats and why they must do certain things in a certain way.  

This is the main reason I engage with individuals and teams whenever possible to understand their areas and services so that I can tailor my suggestions and recommendations accordingly. As Investis Digital’s director of cybersecurity, I manage cloud infrastructure, security, and compliance functions globally. The role helps bridge the business and technical requirements of our company when we provide assurance to our clients that the hosting infrastructure is secure and compliant with privacy laws and regulations. I do that by enhancing the security awareness of all teams within Investis Digital to meet ever-growing security and compliance challenges. Comprehensive security awareness is essential to support clients by with their security and compliance requirements, and that is my goal here. The more I learn about them (and from them), the better I prepare myself to protect them. That knowledge is not going to be addressed or covered by any single tool or technology. And this is not a one-time activity. It’s needed on a continuous basis. 

Improving security awareness   

Here some recommendations on improving the security awareness across the organization -- and don’t think that once-a-year training will meet the requirements:   

• Know what your information assets are (and how they are classified). This is essential as one can’t secure something without knowing what is present and what is important to the business. Securing the whole company is a noble thought but won’t happen practically. I am a big believer in data-centric security. 
• Educate everyone on the information assets they are handling (create, store, process, and dispose) on a day-to-day basis and how to handle that in a secure manner. 
• Educate everyone on a continuous basis on the industry trends and about the latest vulnerabilities and security threats. When someone knows more (on time, and well in advance) they will be better prepared. 
• Be aware that every individual is different, and every team is different and so single training will meet the requirements of everyone. Try to tailor awareness campaigns. 
• Stay in touch with the individuals and teams throughout their process to make them feel that they have continuous support when it comes to security, rather than training them and expecting them to grasp everything and master the requirements. 
• Approaches like zero trust might look attractive to some, but building a total-trust model where everyone knows all the security requirements applicable to their domain (and is responsible for implementing them) is more fundamental and beneficial. 
• Reward the security champions across the teams and departments to motivate others. 

In summary, security is an attitude and way of life. Incorporate it into the DNA of the organization by interacting with the individuals and teams and educate them on a continuous basis.  

Contact Investis Digital 

I see our products not only delivering a web site or a tool, but we must also educate the clients on doing their business in a secure manner, and that will be a valuable addition. 

The Investis Digital on-demand hosting platform is built from the ground up with security and data protection by design. Our cyber threat prevention system offers complete DDoS protection and malicious traffic analysis and prevention and underpins every website we build. Combined with the atomized modular architecture of the Connect.ID CMS platform, we can deploy beautifully designed and highly performant websites with as little as two weeks from ideation to build. Contact us to learn how we can protect you.