The role of awareness and training in Information Security in the organization

By November 27, 2020 No Comments

* Mileny Ferreira

Due to the technological evolution of the media; there have been several changes in society in recent decades.

With these changes, business models have also been transformed and expanded - many organizations have had to identify new strategies, ways of planning and, as a consequence, obtain tools to optimize and maximize productivity for their institutions.

For this reason, the vulnerability of these organizations has been increasing as a result of these digital transformations. At the present time, invasions by simple attacks or even more sophisticated attacks are occurring in an increasing way.

User, the weakest link in the chain

Scams using social engineering techniques are being widely applied by cybercriminals to induce users and gain access to information.

Corporations forget that system users are one of the most significant threats to Information Security. Currently, a lot is invested in external resources such as: infrastructure, firewall, IDS, protection measures and end up ignoring the internal environment, as an example, awareness and training for employees.

When the employee begins to realize the value and importance of the information on which he works, linked to the mechanisms offered by the organization and is aware that the lack of attention or the lack of data protection in his actions can generate losses or damages for the company, it intensifies care and starts to have a more detailed view of what it does.

How to minimize the impact of attacks on companies

It is essential to visualize that, the lack of cybersecurity is much more than just a technological complication, it must be seen as a risk to the business.

We live in the age of digital transformation and changing thinking about investing in cybersecurity has become essential. Thus, the size of the company is not a criterion, whether small or large, it is necessary to establish a plan that invests and guarantees the security of assets and information, trains people to perform activities respecting the safety pillars and having clear objectives domestic policy.

This topic is still little discussed in many organizations, but it is considered one of the best practices in Information Security Management, as it aims to make the user develop their own awareness and know how to proceed when recognizing an attack, be it, personal or corporate.

We know that raising awareness and training people does not bring total immunity for organizations, because people are not error-proof, but it is a way to minimize the vulnerability of organizations.

How to create awareness focused on Information Security?

Before starting an awareness campaign, it is important that an Information Security Policy is developed. PSI is what drives the organization with regard to information security. Training and campaigns must always emphasize and emphasize the internal rules and procedures that were mentioned in the policy.

However, creating the Information Security Policy is not enough to attest to the company's security.

The organization needs to be very clear about the level of awareness that already exists in the company, so that they do not create something too simple or too complex and implement actions that are not appropriate. Be assertive about the flawed point and study what the organization's mistakes and doubts are.

In this process, it is interesting to have a partnership with other departments of the organization, such as Human Resources, Compliance and Internal Communication, make it possible to support execution and complementary ideas.

The ideal is that the awareness is in the daily routine of employees so that it is internalized and not just become a transient training. There is a tendency for professionals to forget what has been learned and to fall into new threats that until then may be unprecedented, for this reason it is so important that training takes place at a certain frequency and always addresses different topics.

An efficient program must be frequent, an important point is to create a functional channel for the organization to report Security incidents.

Remember if

The likelihood of a corporation with a good awareness campaign in place, suffering from punishment and reprimands is much lower.

When security is not invested, the negative result can extend to damage to credibility, which can affect even partners who are committed to their business, destruction of the image before the market and even loss of customers.

* Mileny Ferreira is GRC and Information Security Consultant at [SAFEWAY]


SAFEWAY is an Information Security company, recognized by its customers for offering high added value solutions, through Information Security projects that fully meet the needs of the business. In these years of experience, we have accumulated, with great pride, several successful projects that have earned us credibility and prominence in our clients, which constitute in large part, the 100 largest companies in Brazil. Today through more than 22 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology, process and people solutions.