Being aware of the existence of a real danger and the consequences that this entails on several levels, represents – itself – a tool to defend oneself from it, to protect oneself.
It also happens in the field of computer security , where cyber security awareness , by sensitizing users, making them aware of the types, methods and impacts of cyber attacks against computers, servers, networks, mobile devices and corporate data, aims to raise the level of security of the entire organization and, therefore, of its business. Let’s see how this is made possible.
What is cyber security awareness
The literal translation of the expression “cyber security awareness” refers to the concept of awareness of the characteristics, contents and criticalities of IT security within the corporate structures . Awareness that must be acquired through timely and constant information and training intended for employees, considered central figures in translating the contents of the corporate security policies into daily practice.
Unfortunately, in fact – due to simple inattention, forgetfulness, not fully understanding or even due to total lack of knowledge relating to the security measures to be adopted – it happens that the employee, without meaning to, finds himself enabling illegal access to the company network, simply by clicking on a link contained in a suspicious e-mail message, by opening an attachment from an unknown sender, or by downloading material deemed unsafe.
However, cyber security awareness does not only concern employees, but all personnel, including management and executives. To think otherwise is tantamount to a limited vision of security, which does not take into account all its dynamics and all its players, including those who – precisely because of the high office they hold and the high level of responsibility – make extensive use of mobile devices containing a large amount of sensitive information relating to the company and its business and which, subject to frequent movements, often make use (and without knowing the level of protection) of public infrastructures for wireless access to Internet, with the risk of incurring external attacks aimed at data theft.
Therefore, everyone in the company must be able to become aware of the different types of threats against cyber security, their impacts on the company’s operations, on the continuity of the services provided, on the business and on privacy and data confidentiality and about the protective measures to be adopted.
Depending on the type of company and its peculiarities from an organizational point of view, information and training can follow different channels, ranging from classroom teaching by trainers inside or outside the company, to e-learning programs specifically developed on the basis of the general level of preparation of the staff and gamification techniques, up to the development of ad hoc information material – distributed by means of newsletters or via the company Intranet – focused on precise topics defined periodically.
The contents must first of all start from the basics, explaining which are the most common cyber attacks, how to identify them and how computers and mobile devices used in the company must be protected, how one’s login credentials and personal information must be made inviolable. Subsequently, however, it will be possible to focus on more complex issues, which concern, for example, concrete control and prevention solutions, as well as effective response to attacks.
The main objective is to ensure that everyone in the company – regardless of individual roles and individual tasks – takes possession of the basic skills and methods of IT security, suitable for prevention and – in case of criticality – for defending oneself . But not only.
At a deeper level, the purpose of cyber security awareness is to bring the culture of cyber security into companies, making users more responsible on the issue, motivating them to adopt a more active attitude towards possible threats to which they themselves – as part of the “company system” – are exposed.
Threats to defend against
Knowing evil in order to defend yourself: this is the cardinal principle of cyber security awareness . And evil, in this case, is given by threats to IT security, among which – just to mention a few examples – the most common is malware, whose name (a contraction of “malicious software”, i.e. “malicious software”) ne contains the goal.
In essence, it is a piece of software – in many cases circulated via email attachments or apparently unsuspecting downloads – aimed at putting the victim’s computer out of use. There are different types, among which we mention viruses and trojans : program with malicious code capable of infecting files within the system in which it manages to penetrate, the first, and malicious software hidden within a software all harmless appearance, the second.
Spyware, on the other hand, is another dangerous type of malware capable of recording – without the user noticing – the latter’s actions, managing, for example, to get hold of his credit card data and other information sensitive. While ransomware is that malware that can prevent the victim from accessing his files and her data , unless you pay the criminal a ransom.
Another kind of attack , of which to be fully aware in order to be able to prevent and combat it, concerns phishing, by means of which the user receives an unsuspecting email which, in reality, conceals the purpose of extorting personal information from him, including his own banking credentials.
The Man in the Middle attack is also aimed at data theft – which acts by intercepting communications between two users – while the DoS – Denial of Service attack , by overloading networks and servers, aims to make the information system unusable, preventing it from providing services and blocking the company in carrying out its activities.
Threat defense measures cited in companies include protocols for encrypting email messages, files, and confidential information, thus protecting data in transit and defending against potential theft attempts.
Furthermore, the real-time detection of malware and viruses that camouflage themselves by changing their code is also due to the security protocols. And some programs also allow you to isolate those software deemed potentially harmful, to study them and get to understand how – in the future – to be able to intercept them more quickly and more efficiently.
The situation in Italy
Cyber attacks in our country – with over 36 million events on over 6.5 million public IP addresses, according to the latest Clusit report – recorded a decrease in 2020 compared to the previous year.
The Clusit 2021 Report on ICT security, in analyzing this data, places the emphasis on the pandemic emergency that marked 2020 and on the resulting work situation, i.e. on the adoption of smart working by the clear majority of companies Italian.
It was precisely this change of register which, in order to facilitate remote access to corporate networks, led organizations to pay greater attention to the security of their systems, prompting them to adopt solutions such as firewalls and VPNs – Virtual Private Networks .
This attitude has contributed to reversing the scenario, making personal PCs (with as many as 85,000 attacks, practically double those that occurred in 2019) and the internet (with a significant increase in DoS and DDoS attacks) the favorite targets by cybercriminals in 2020, with finance and insurance, government, service providers and media in the crosshairs.
And, with regard to the trend of the cyber security market in Italy, the data from the Cybersecurity & Data Protection 2021 Observatory of the School of Management of the Milan Polytechnic underline how the pandemic, while slowing its growth, has not stopped its movement, with spending on security solutions which, in 2020, still recorded a + 4% compared to the previous year .
Of course, these were investments – as mentioned – related to the management of the health emergency which, in particular, primarily saw the purchase of solutions for the protection of infrastructures from illicit access, for the protection of networks connected remotely to client devices and remote working management.
But, beyond the numerical growth of the market (albeit slight), another salient aspect emerges from the Observatory data of the Milan Polytechnic, relating to the Italian situation, which has to do with a qualitative datum, expressed by the will , by companies during the Covid pandemic, to increase the sensitivity of their employees regarding IT security, investing precisely in cyber security awareness , or – as mentioned – in the culture of security.