Security Awareness Training – It’s Worth It!
By: Darin Barton CISSP, CISA
We tend to expect a little too much from our employees when it comes to understanding the risks associated with their IT and online habits. We tell them, “DON’T click on this” and “DON”T go to that” without really informing them why this is necessary. Over time they get desensitized to IT security and just expect the IT department to make it all right. More often than not there is an acute lack of understanding by employees of what their actions might do and how they can place an entire organization in jeopardy.
Without a doubt, users are the least secure aspect of an organization’s IT security strategy. While attempts can be made to secure the enterprise to the “nth” degree a user can unwittingly circumvent that security by clicking on a destructive link or being tricked into sharing the wrong information.
There are many areas covered within a solid security awareness training program, but in my opinion, two stand out above the rest:
- Targeted Attacks
- Social Engineering
These two attack vectors are the most common and successful of all attacks because they often use the employ’s desire to trust and naivety against them. We all want to be nice and accommodating at work and attackers have become highly skilled in using these human (I hate to say weaknesses) factors against us with a greater than >75% success rate.
While maintaining a tight perimeter security is very important, what you should be really concerned about is the attack email sent to the HR Manager regarding her University Alumni Dinner or the pretext phone call to the office administrator from “your new IT admin” requesting a password confirmation. Social Media has provided cyber criminals with a vast amount of personal information to select from when conducting targeted attacks, so reminding your staff that this could be used against them – and showing them real examples – is critical to their understanding of how to recognize a potential threat.
Don’t get me wrong, IT security always comes down to where the rubber meets the road. Regardless of how well trained your staff is you must have the proper security countermeasures in place to secure the enterprise. However, training your staff in security awareness is designed to lower your overall risk by removing or greatly reducing their role as a potential threat vector.
The good news is that security awareness training does work if it is maintained, user friendly and relevant to your staff. I recommend augmenting your training with awareness posters and daily reminders around the office work space or prior to accessing the Internet.
Security Awareness Training has been proven to:
- Reduce overall threats and risk to the enterprise
- Increase an employee’s benefit to an organization
- Encourage employee growth and self-esteem
- Increase company and employee morale
- Promote positive business and work ethics
- Improve networking and the sharing of ideas
- Provide a higher quality of education and learning
:Darin Barton CISSP, CISA is a senior security professional in Toronto Canada, with 20+ years experience in cybersecurity and investigations and currently employed with Access 2 Networks Inc. (A2N).