now one of the best defenses against Attackers inside and out within our organization is training, knowledge, transfer and really knowledge transfers bigger than just training. You know, formal classroom training. Computer based training is helpful. It's important part, but also things like raising security awareness.
If you walk down ah, hallway of your organization, you see a sign that says,
Never give out your password or never leave your work station unattended without locking out. That's raising security awareness. So what we want to do is we just want to inundate the employees within our environment with security concepts and security ideas. We want it to just be second nature for our employees to behave in a secure fashion.
So, uh, that would be awareness training,
education. We want to make security information available, So maybe we have an I. T. Security library that we make available. Maybe we include snippets and our security letter or, ah, memo rather. And every week we have a new topic of the week, whatever. So
the weak links are people, and I would almost remove the word usually quite frequently. Our technology works as our technology being been configured properly
has someone compromised it, you know, intentionally. Are there back doors or other ways around? It comes down to the people within our organization. Social engineering, praise upon our people.
Ah, and it doesn't even have to be malicious. You know, I can give information out to a stranger trying to be helpful, and I've actually created the security breach. Or maybe I've accidentally deleted the file because I didn't know what it was. And it seemed to be new.
Maybe System's been compromised and me trying to help I go and start opening up files looking for what's going on, and I've
disrupted digital evidence, so it's not always malicious. So what we have to do is train our people what's appropriate, what's inappropriate. And also we need to hold our folks accountable to that.
The ultimate goal of knowledge transfer is to modify employee behavior.
Now you know, many people say it's to raise security awareness. Fine, but awareness is only good If it changes behavior right, you could be aware of all the traffic laws in the world. It doesn't mean you're not driving 95 miles an hour down the Highway 95. I want to change what people do, not just what they know.
So with our training, we have to keep in mind. People are not gonna follow the rules if they don't know them. And if they don't understand, and they have to be meaningful to people so many times that I ke department do this because I said to do this and we really have to help our users understand some of the threats that were out there again. So I think training a lot of times
can be more meaningful, too.
People if we can give them all why we do what we do.
be aware of the fact that employees will do what they want to do.
So if I put a security mechanism in place that prevents them from accessing a website,
if they want to go to that Web site, they'll look for another way around.
So we want to make sure again, we don't just block activities and locked doors. We help explain what we do and why.
Sometimes we can incorporate that into the structure of the organization staff meetings, Maybe. We acknowledge ah, folks that have good security departments that have good security part posture that paste past social engineering pen tests. This is part of due care.
If I care, I will train my people so we'll talk about due care. And due diligence is being really important in the workforce. Because if I don't show due diligence and do care and by the way, cheapie definitions of the two due diligence is research do care is action.
And again, don't take those back to law school with you. But those were some cheapie definitions. So if I do my research and then I follow up on that research with action, I've done the right thing. So training my people is action and its administrative control.
It's a win win situation. My employees are my best line of defense against Attackers. I trained them. I helped them understand the security vulnerabilities that are out there. And ideally, they know how to respond to these incidents as they arrive.
Watch the one size fits all training and a lot of companies are are guilty that everybody in the organization must be a C i S S P. No, probably not.
You know, there are a lot of letters, a lot of different shirts that are out there today. They're very much
they very much should be catered to the role within the organization. It makes more sense for technical training. Of course. Toe I t. People more generalized security training for your regular everyday users.
When, um, we've trained our people. We've really kind of completed. The process is associated with risk identification. We collect information on our assets. We've identified them, we evaluate our assets again, not an easy activity. And we create documents like risk registers, racy matrix.
Ah, some of the documents, uh, you know, we might
document key risk indicators there. Lots of things that were going to do. But we started the process. We can't stop here, right? Because all we have is a list of identified threats and vulnerabilities and a list of assets and what they're worth. So the next module, we're going to get into getting a value for the potential for loss,
and then that will in turn,
lead into our mitigation strategies. What do we do about these risks?