Building security awareness: Q&A with Simeon Tassev
Though an organisation itself will bear the brunt of the consequences of such attacks, it should not just be the responsibility of the organisation to prevent cyber attacks. Organisations should make sure that their employees are aware of the risks and how to prevent them and, therefore, education is key. Further, a marriage between user awareness and technology is needed for increased vigilance and improved cyber security. I spoke to Simeon Tassev, MD and QSA at Galix, about the importance of user awareness and education, addressing user behaviour and the responsibility of both users and organisations in addressing cybercrime.
A lot of attention is given to security, the POPI act and the responsibility of organisations to have effective security measures in place. Although everyone is aware that the human element is a weak link in the security chain, in comparison with other aspects of security, very little attention is given to educating users about IT security. Why is that?
Simeon Tassev: The main reason is the clear responsibility for the security awareness training - is this IT, IS or HR responsibility? Once the responsibility is defined, the proper security awareness programme needs to be implemented and not just an exercise to "tick the box"
What can be done to address bad user behaviour and whose role/responsibility in the organisation should it be to address this issue?
Tassev: Clear security policies and procedures need to be defined by the CISO and enforced by the relevant department heads and HR. Bad user behaviour affecting the security of the organisation needs to be a serious offence with serious consequences including dismissal.
What is your opinion on who should take the heat in case of a breach facilitated by the actions of an employee?
Tassev: The employee needs to be accountable for his actions provided that the employer has the relevant policies and security controls in place.
What role will technology play in educating users and the continued practice of security by users?
Tassev: Technology should be an essential part of the security awareness programme, allowing for simulated security breaches and easy access to relevant documentation and training materials. Technology should also be used to prevent potential security risks due to human behaviour.
What would define a "good user" regarding security?
Tassev: A good user will try and understand the security policies in place and the potential impact of his actions.
Any tips for users on what to look out for to avoid becoming a victim of cybercrime?
Tassev: Think before you do (you didn't play the lotto so you can't be winning). Question if somebody asks you for personal information (why do they need it, are they supposed to have it). Ensure that you have valid Anti-Virus software before connecting to the internet.