What should be included in a cyber awareness program?
NIST provides an outline that the framework recommends should be covered by a cyber awareness program. A program needs to cater to the individual’s role and be appropriate for the tasks that they undertake.
Important elements to include are
Why is it needful to undertake a cyber security awareness program?
When we start with the end in mind it is a more powerful experience. The activities that we need to perform and the knowledge we are to acquire makes sense in the greater scope of our lives. This understanding of why, is a basic human need and with out an answer any change or knowledge acquisition attempts (especially initiated from outside) are fruitless.
Who does a person go to or who do they contact when they have a cyber security issue?
Knowing who is responsible for what in an orgaisation is vital in performing work activities. There are very few jobs where someone works completely alone. There is always interaction with those you work with, up, down and sideways. Without knowing who to contact when communication is needed, frustrates the work effort. Making sure that someone is assigned the cyber security responsibility and that this is communicated is important.
What does legitimate and authorised use of the systems look like?
Rules are there because someone did something that was unanticipated, and they should not have been doing. It may be obvious, but making it clear what is expected right from the start allows the system to be used for the purpose it was created and in the way it was created. If no guidelines are given it is almost 100% certain that someone will unintentionally wander into areas that are undesirable.
How does someone protect the system?
Knowing how to use the system correctly does not mean that the system will be protected. Cyber attacks manipulate the system so that an unsuspecting person may not know that a trap is in place. The nature of proactive cyber security is to know what actions will protect the system. These actions will be the small ways in which the system is used. By small means, large effects are made.
Who should be notified if/when a cyber incident happens?
Unfortunately, it is a not if it is a when a cyber attack happens that everyone needs to know what to do. The effects of a cyber attack can be minimised when an intrusion is detected early. When the general staff are properly prepared and are cyber security conscious, an attacks devastation can be reduced by letting the people who have the capacity to isolate the malware know.