Achieving Security Awareness Across an Organization

There's a reason digital security and privacy concerns are more prevalent in the minds of end users than they've ever been. When your entire life is stored on a pocket-sized device designed to access other devices and networks, the thought of a stranger gaining access is horrifying. Personal photographs, bank accounts, private correspondences with friends and family — and all it takes is one person with the wrong intentions to take that info and do seriously bad stuff.

In this world of third-party apps and extended permissions, the problem is that no one company providing apps or services within an ecosystem is responsible for end-user security — everyone is. And when everyone is responsible for, well, everything, the high-level solution comes down to a word many of us love to hate: awareness.

Before you roll your eyes, let me explain. Recognition and awareness are not the same thing — we all understand security is massively important in the digital era. On the other hand, knowing that and knowing how to act on it are two very different things.

Take a look at Heartbleed. This vulnerability, which gained worldwide attention due to its ease of abuse and the amount of high-profile websites and apps afflicted, became possible due to a flaw in the hugely popular OpenSSL. This made it exploitable in almost all sites and services using the library. A patch is now available, but countless users are still affected and find themselves largely powerless — until they become aware of the problem and start implementing the fixes.

Everyone's Job

Bugs the size and scope of Heartbleed are rare. Still, if you're a company whose product has been affected by issues, that doesn't matter — nor does who's ultimately responsible for the problem. While end users are more aware of the intricacies of software development than ever, even the quickest fix and most sincere apology won't stop many from switching to competing products.

Seemingly harmless programs can require deep access into a system and, potentially, a user's personal info. That access can allow others to do things the device's makers didn't intend, and that's where problems often begin. The key is for executives and managers to give everyone in the organization the tools they need to avoid such oversights, especially when scaling to ensure security on hundreds of applications (or more) per year.

To truly get a handle on issues that could have a very negative impact on users' lives (and thus the health of the developer's business), both organization- and individual-level awareness are necessary. As we've said before, software development is a balancing act: too much focus in one area can cause serious deficiencies in another. That same thought applies to security.

Two Vital Elements: Education and Expertise

Reacting to issues as they arrive is no longer enough — assuming it ever was. On the contrary, it's crucial for an organization to anticipate and avoid problems before they're located.

Bringing in an expert on a case-by-case basis may fix individual problems, but that's like fixing the symptoms instead of treating the disease — whenever new issues arise, the company's in the same boat as before.

In our minds, the twofold solution to these concerns is awareness, achieved through:

  • Early, Frequent Education: An organization is nothing more than a group of people. Bringing all those people up-to-date on the latest information and training makes sure the organization as a whole is covered before, during, and after any exploit issues.
  • Expert Help: You can't fix problems or incorrect practices you don't know exist. Once teams are aware of the issues, bring in experts — not to analyze singular issues, but to enact long-term, organization-wide changes. It will be worthwhile, too, to consider a scalable, cloud-based security solution in order to make it easier for a small, internal team of security professionals to support developers across many teams.

To put this all another way, awareness isn't just a buzzword to be blown off, especially in the context of security. Use these tips to stay on top of your game, because the alternative is far from appealing.

Photo Source: Flickr

About Evan Wade

Evan Wade is a professional freelance writer, author, and editor from Indianapolis. His time as a sales consultant with AT&T, combined with his current work as a tech reporter, give him unique insight into the world of mobile/Web security and the steps needed to properly secure software products. Follow him on Twitter.

Comments (0)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.