Su equipo carece de conocimientos técnicos sobre seguridad. ¿Cómo hacerles entender su importancia?

Begin by elucidating the fundamental principles of the CIA triad: confidentiality, integrity, and availability. Confidentiality ensures that sensitive information is accessible solely by authorized individuals, safeguarding against unauthorized access and data breaches. Integrity guarantees the accuracy and trustworthiness of information, preventing unauthorized alterations and ensuring data reliability. Availability ensures that information and systems are accessible to authorized users whenever needed, supporting continuous business operations. By contextualizing these principles within everyday tasks and potential business impacts, you can enhance the tangibility and relevance of these critical security concepts for your team.

The best part about CIA is - by design - it can really be applied to any application, service or process. Really? Sit down with the team in question and figure out how CIA applies to what they are working on from a day to day. Give them concrete examples. If a web server goes down, they can't do their job. If values in a database are incorrectly changed, it'll affect the rest of the process down the stream. If someone sees that data, they can sell it to a competitor.

Highlight how security issues can affect the business, such as financial losses, reputation damage, and regulatory penalties. Use case studies or news articles about recent security incidents to show the tangible impact of security lapses. Discuss both the immediate and long-term effects of these incidents on businesses. Explain how security practices protect not just the company but also employees’ personal information and job security. Implement ongoing security awareness campaigns with newsletters, posters, and emails that highlight different aspects of security. Have senior management emphasize the importance of security in meetings and communications, demonstrating that it is a top priority.

•Contextual Examples: Use real-world examples of security breaches and their impacts on businesses to illustrate the importance of security measures. •Interactive Training: Offer engaging and interactive security awareness training sessions that explain basic concepts in non-technical terms. •Role-specific Relevance: Tailor discussions to show how security practices directly affect each team member's role and the organization as a whole. •Guest Speakers or Workshops: Invite security experts or conduct workshops focusing on practical aspects of cybersecurity relevant to your team's work. •Regular Updates: Provide regular updates on current threats, trends, and best practices through newsletters, emails, or briefings.

Na minha experiência, teve momentos em que explicar a importância da segurança da informação para uma equipe com pouca experiência técnica exigiu criatividade e um toque pessoal. Se fosse eu, usaria exemplos reais e fáceis de entender, como roubos de identidade e vazamentos de dados, para mostrar os impactos negativos da falta de segurança. Também tentaria envolvê-los na implementação de medidas simples, como senhas fortes e o uso de autenticação de dois fatores, para que percebessem a diferença que podem fazer.

One thing I've found helpful is describing phishing using everyday scenarios. At one company, I explained it as someone pretending to be your bank in an email asking for your password—this analogy made it clear how phishing works and why it's important not to share sensitive information without verification.

Providing real-time examples of potential threats to the company and its employees can help them understand the risks involved. Phishing attacks, in particular, are widely recognized, yet many employees do not grasp the consequences of losing personal or company data due to such attacks. Regular security awareness meetings, led by an InfoSec Specialist, can keep everyone informed about current security trends and best practices for staying safe.

To make these threats relatable, use analogies. For example, compare a computer virus to a human virus that spreads from one person to another, causing widespread illness. This illustrates how a single infected device can compromise an entire network, resulting in substantial disruptions and data loss. By framing these threats in familiar terms, you can effectively communicate their severity and the critical need for vigilant security practices.

This is where people tend to put the cart before the horse, you need to first understand what the critical business processes and assets are before you can understand the risk. Even if phishing and ransomware are most often the highest threat. If the business critical server isn't even on an internet conneciton - thos threat will not carry the most risk.

Even if the "how" and "why" is well explained, you need to understand the security protocols and controls will always be seen as nuisance by non-security teams. As a cybersecurity professional, you must understand the best way to encourage adoption without impeding the workflow of the team impacted. Until, of course, they get popped and finally understand :)

Many, many times, after your explanation of how they work, at least in my experience, that makes them much less esoteric to the non-technical staff. For example, I've described to people that, in a way, firewalls are filters in that, yes, they let safe data through, but they block out harmful content. This simple explanation helped our team appreciate their role in defending our network.

Highlight the importance of strong passwords, which provide a crucial line of defense against unauthorized access. Encourage the use of complex passwords and regular updates to mitigate the risk of breaches. Regular software updates are equally vital, as they address vulnerabilities and enhance security features. By keeping systems up to date, your organization can stay ahead of potential threats. By simplifying these concepts, you empower your team to understand the 'how' and 'why' behind these protocols, fostering a proactive approach to maintaining robust security.

The first time a department or a team runs through the incident response procedure should NOT be the first time they get popped. Ensure that there are adequate table tops and simulations ran so that every team is prepared when a true positive hits and incident response must be engaged.

In my experience, explaining how swift responses minimize damage helps everyone understand their role better. For instance, we discussed how early detection of malware could prevent it from spreading across the network—this showed why prompt action was crucial.

The simplest thing here is rewarding people that use the phish button. This self-reported phish feature should be on in your email solution (KnowBe4 had it for free). This is a big help when it comes to understanding what you're doing for the security team and preventing email campaigns from affecting the whole organization. It is also continous learning to recognizing malicious emails.