We all know, from experience or the Verizon DBIR, that stolen credentials are the most common attack vector. Users still present massive risk to our organizations, yet there's plenty of debate about the effectiveness of user training. Meanwhile, users are getting all the FUD of breaches in the news, and aren't yet armed to have constructive conversations about them.
Now, this is not to say there aren't awesome security teams running security training programs out there – there most definitely are. But no matter how well-crafted the message, one small, very busy security team pushing out security information or training to users gives only one point of contact. That's just not enough for anything— let alone something as complex as security — to stick. Thankfully the conversation is shifting from security being something for just the “technical folks” to worry about, to security as a shared responsibility in which everyone needs to – and can – be involved.
After all, security doesn't impact only the security team. Security isn't important only inside the workplace. Why should conversations about security awareness be?
For people to be truly aware, learn, and take responsibility, there must be conversation, overlap, and multiple points of contact. That's why this October for National Cyber Security Awareness Month, Rapid7 has taken security awareness outside the office. We have placed ads on the MBTA in Boston – where Rapid7 has its Headquarters and Cambridge office. Commuters can visit rapid7.com/aware to test their knowledge of a few low hanging fruit, get some quick tips, and educate themselves on why these things are important.
We've also put together three NCSAM email templates ready for sharing to your company, family, and friends to encourage them to engage and brush up on security pointers. Lastly, visitors to the interactive site are invited to refer a colleague to test their security chops – increasing touch-points with the content and starting conversations across organizations.
While Rapid7's focus is and always will be on innovative security software and services, it is important – especially during NCSAM – to look at the big picture impact to our community, which includes non-security roles.
Let us know what you think! Do you want to see security awareness ads in your city? What other things should we, as an industry, do to get the general public's attention to help them think more about their own security practices?