Top tips for better security awareness on the job from Detectify Security Champions

Security is not compliance. This is something that the security champions at Detectify can agree on and each employee practices security everyday to help keep our customers and business secure.

You’ve probably never met a more engaged group about security training than us at Detectify! We are passionate about our industry and maybe even gain a few new security nerds every few months as we go. 

To achieve ISO 27001 certification, the team at Detectify decided to create a group of Security Champions with members from every department to help spread security awareness across the organization. We asked some security champs to share their best practices for raising security awareness and culture.

Pro tips from Ania – Support Specialist:

As a Security Champion, how do you keep your teammates updated about security updates and training?

Hmm … I would probably say “there’s a slack channel for that!” Jokes aside, as part of the Support team, I get to see a lot of common and sometimes even creative attempts at trying to phish us. My best practice is to take screenshots when I see more sophisticated attempts and share examples within my team and company to drive awareness for the different attempts. We then discuss best practices, new processes and guidelines in the Support team and also Security Champions committee to keep things relevant.

Of course, it’s important to keep the basics in mind and give reminders to the team. Sometimes it only takes a 5 minute update in a week team meeting. It could be as  simple as a post that explains:

• If you’re unsure or the phishy sender is persistent, first breathe and then consult with a colleague
• Report very suspicious things using the Incident Report form
• If the link looks weird, you probably shouldn’t click it. 
• Verify the authority of accounts according to our internal security principles.

Pro tips from Linus – Product Manager for Detectify Crowdsource:

Have you noticed any impact on your team’s information security practices or awareness since becoming a Security Champion?

Working in an already quite security savvy team we have a lot of awareness already, but I do my best to be clear about the purpose of why something needs to be done. I combine this together with gamification through quizzes and contests with small prizes. These are definitely more efficient than a simple Slack reminder. The only trick is figuring out what motivates your team members.

Since starting the ISO project and the security champions committee, I have definitely seen a change of mindset. My team members are more involved and we are all more quick to notice security risks like accidental screen shares rather than window shares here and there – it’s really cool to see! Even a thing such as labelling documentation with the right information classification label has been a very smooth process for people to adopt, which is awesome.

Pro tip from Kostas – Software Engineer:

How do you keep yourself updated with security news?

Working in a security company I remain aware of news and need-to-know without too much effort. I have colleagues that are some of the greatest minds in security, so I get a lot for free. 

The right resources may differentiate a bit depending on your expertise and enthusiasm for security. Twitter and Reddit will break the news first to you on any occasion – same with Internet security! Participating in hashtags/subreddits can prove a good source of information too, as people post updates, service releases and anything in between. Also, starting the day with industry news is always a good idea. I would recommend DZone or The Next Web. I try to take in information from a variety of sources to get a nuanced view.

Pro tips from Vendela – Product Owner:

Since working at Detectify, have you picked up any pro tips for increasing security awareness and positive security culture in the day-to-day? 

• Passwords! Such a pain. And how many of us write them down on post-its, honestly? How DO you make them safe, anyway? I’d recommend always using unique passwords which you can generate and store with a password manager. On top of that, turn on 2FA!

• See something, act upon it! People cannot act on things if they are not aware of them. So if you see your friend, colleague or someone else in your surrounding do something that you wouldn’t, let them know. From what I’ve found most people take it pretty good. After all, information security is something new to a lot of people.
• Find a way to share your information without blaming or scaring people. We have a pretty strong Fika culture at Detectify. In Detectify terms, this means that if you forget to lock your computer or if you leave it unguarded for a short while, people will without a doubt pounce and slack hack you by announcing that “you” are going to treat the company to a round of Fika. This is of course quite a comedic incidence when it occurs, but it reminds people to be careful without having a wall of shame. I think those sort of things have a positive effect on people.

How can Detectify help?

Let Detectify scan your web applications for the latest vulnerabilities, while you build the next big thing. Our passionate security defenders bring vulnerability research from hacker-to-scanner in as fast as 25-minutes.

Stay on top of threats and continue building safer web apps with Detectify. Discover how our security champions can bring clarity and scale to your application security with a free 2-week trial today.

Jocelyn Chan is the Content Manager at Detectify. She is a self-proclaimed hype-girl for automated web security powered by white hat hackers and believes that the future is in the crowd. She also would like to connect more women in tech and security together which is why she is co-leading the Women in Security – Stockholm Chapter. And yes she has seen Hackers, and believes that it's so good because it's so bad.