Welcome to the Importance of Security Module. On behalf of the entire ISC squared family, welcome to the end user security awareness training. Security awareness is the knowledge, skills, and culture an organization possesses regarding the protection of both the physical digital assets of an organization. ISC squared vision is to inspire a safe and secure cyber world, and that starts with you, the end user. Just look at the word security, you are right in the middle. Each member of an organization has a responsibility to protect his or her customers' data, regardless of position or title. It is important for any staff member to be equally invested in the organization security. Everyone must act consistently with organizational security policies and work to develop their skills and understanding. Nearly every day on the news, you will not fail to hear about the latest attack or breach. In order for any of this to change, staff needs to be trained and confident in their role in cybersecurity. The first line of defense in protecting this from happening in your organization starts right with you. Each person in the organization from the newest employee to the company CEO has the responsibility to protect the customers' data. Losing customer data to hackers can be expensive and impact trust, but losing intellectual property to a cyberattack could devastate a business. You may work for a large corporation, a small nonprofit, a local retailer, or a family owned business. Imagine the desperate feeling to wake up to the realization of valuable secrets in the hands of a nameless hacker. This could be an architect's latest blueprint, a scientist's latest pharmaceutical research, or release of a film well in advance of its premiere. Due to all this data being in a digital format, a breach could go unnoticed for months. And trying to get attribution could be all but impossible. Your organization may fall under certain types of regulation. This could be healthcare, payment card, privacy or federal regulations. Simple mistakes not following policy or not practicing proper security etiquette could result in an organization being found non-compliant. Depending on the regulation, this could result in legal action, penalties or fines. Nearly every organization depends on their reputation to gain the customers trust, and maintain that reputation to keep them. An impact to reputation could result in financial losses, dissatisfied customers, and mistrust of your organization. Generally, the brand of an organization is its most valuable asset. It is behind organization growth and revenue. When brand reputation is damaged, it is one of the most difficult to recover. There are several components of security. People, not technology or processes, are the first and last line of defense from attackers. Without investments in people, great technology or well written processes don't matter. The better trained and more aware staff become, the better they help protect against these attacks. Following policy, procedures, and having repeatable processes is essential to good security etiquette. Understanding and having knowledge of the organization’s policy and processes could likely prevent you from accidentally exposing data or introducing malicious software into the organization. Your organization likely invests heavily in technology to support the business, and protect its data, systems, networks, and customers from malicious actors. Although technology investments can go a long way in protecting an organization from hackers, it is only part of the equation. Technology only works if configured properly and regularly maintained. The biggest challenge organizations face is adequately training staff to the new techniques and methods hackers use to exploit people and technology. If people are not aware of a situation or scenario, it's impossible to defend against it. It is important to build a foundation of awareness, but also to acknowledge that training is more than just once a year. Learning best practices and good cyber security etiquette is very important, but it must be continuous to identify new types of techniques, attacks, and social engineering attempts. The entire organization must move together in deliberate step to improve their security posture. There is a common misconception about hackers. They are often thought of as shadowed figures in hoodies working away in a basement or industrial building. They are thought to be hunched over their computers furiously typing away at their keyboard, hacking into systems until the ah-huh moment, and they are in within seconds due to their unrivaled computer knowledge. Generally speaking, many identify as hackers of some type. However, hackers can be young, old, white collar, part of a group, government, or lone wolf. Hackers each have their own individual motivation. However, those with malicious intentions prefer to take the path of least resistance. Why spend long hours attempting to break into networks or systems when it's much easier to socially engineer its people. The color of the hat has everything to do with consent and intent. The use of hat in this context comes from old Western movies where the good guy is wearing a white cowboy hat and the bad guy is wearing a black cowboy hat. In the world of security, there is a black hat, grey hat, and white hat. Black hat are hackers with a malicious motivation, either maliciousness or personal gain. Grey hat are hackers who may violate laws or ethical standards but do not have a malicious intent. White hat are hackers who test security for none malicious reasons and have consent to perform hacking. There are many motivations for black hat hackers. The primary motivation of a malicious hacker is financial gain. They achieve this either directly through hacking financial systems or indirectly through ransoms by holding an individual's or organization's data hostage. Over recent years, there has been an increase in espionage either by corporations or by the government entities. They use hacking techniques to exploit critical systems, social networks, and the spread of misinformation. When individuals hack for notoriety, disagreements over politics or values, or revenge. They are motivated by fun, ideology, or resentment. They promote political agenda to bring about social change. A malicious insider is motivated by personal gain or revenge. An example is a current employee who seeks to expose sensitive data, exploit vulnerabilities or steal intellectual property. One of the primary reasons Security Awareness Training is so important, is that hackers attack the tools we use most throughout the day. Humans are the first and last defense in all the ways in which hackers try to infiltrate an organization. Let's look at some of the tools hackers attack. Hackers pay to display malicious ads, buy websites in the hope that someone will type a web address incorrectly. Create websites that clone our favorite sites in order to steal our username and password. And solicit users to download software under false promises. Once an attacker gets a foothold in this way, they will use it to springboard into the rest of the organization. Instant messaging clients and collaboration tools such as Slack, Skype, JIRA, Hangouts, Trello, all present another avenue by which hackers will attempt to socially engineer you. They can do this through impersonation of someone you may know or creating a sense of urgency around you needing to provide them with information or to open some file. Email is by far the largest target for hackers to attempt to infiltrate an organization. Many of the emails can be easily spotted as scams or social engineering attempt. Although some may be easy to detect, others can be very convincing or creative in tricking users to download a file, click a link, open a file, or install software. Each individual in the organization has access to certain data or have been given elevated permissions on a system, such as the ability to install software or modify system files. Hackers will take advantage of different people's access and system permissions. In this module, we discussed the fundamentals and importance of security. It's important to ensure you stay up to date on security related events and partake in your organization's security awareness training. The training serve as a refresher and inform you about new ways to protect yourself and your organization. You have concluded this module. [BLANK AUDIO]
