Assuming the data security learning curve of your average employee is lower because a majority of today’s workforce is made up of digital natives isn’t farfetched. Unfortunately, that’s not the case.
Human error is still to blame for a majority of security events, as cyber crooks continue to launch social engineering campaigns to compromise businesses.
At the end of the day, employees make mistakes; from clicking on malicious email attachments from strangers to leaving their laptops in a taxi cab. As businesses evolve through the various stages of digital transformation, attackers always have the opportunity to maximize their efforts through costly blunders.
The security organization’s answer to combat this tired problem comes in the form of security awareness programs. Although there’s been a long debate in the community hinting at the ineffectiveness of this approach, there’s no denying that it can only help. Naysayers believe that resources are going to waste with such programs, but the proof is in the pudding.
Studies indicate that running continuous training programs reduces phishing proneness, which ultimately serves as a positive impact on organizational cyber risk. Simply put, creating a security awareness program is affective and recommended, but there are areas you should focus on to ensure you get the most bang for your buck.
Although digital natives place far too much trust in their devices, they aren’t oblivious to the risks associated with online activity. You may ask yourself, “If that’s the case, then why are so many mistakes still being made in the workplace that lead to breaches?” That’s a matter of effort, not knowledge, says Charles Hamilton, principal consultant at Trustwave.
“Each employee can make a difference on their own by modifying their browsing habits,” says Hamilton. “A work computer should be used for work, not to access questionable sites and watch videos on Facebook. We’re always just one click away from allowing an attacker to gain access to our system.”
To reach this ideal state of user awareness, there are three primary areas highlighted below that Hamilton advises security professionals to focus on to get the most bang for their buck out of their security awareness programs.
Ask any employee if they’re familiar with the organization’s security policies, and you’ll likely get either an eye roll or a blank stare with a nod. Nine times out of 10, the answer is “no.” Corporate policies are intended to protect employees and the business, but the truth is they’re perceived as censorship by employees. It’s important to educate staff members properly on these policies in a way that provides insight on why they’re in place, Hamilton says.
“Similar to how we learn other things in life, if you get creative and make this exercise fun, it will stick with the employee,” Hamilton says. “If something’s entertaining, you tend to pay more attention, and you’ll certainly be more inclined to do it.”
While it’s important to be creative and shy away from mind-numbingly boring passages featured in emails blasted out to employees, there’s a level of comprehensiveness your training should embody. The truth is, a majority of security awareness training only features cursory material. Take phishing exercises, for example. Rather than training employees not to click on suspicious links (which is important), take things one step further by teaching them to identify a phishing pattern. Hamilton suggests using a three-strike approach to score suspicious behavior in this example:
Strike 1: A random email hits the employees inbox asking them to perform administrative tasks on a website they’ve never visited (or heard of) before.
Strike 2: The third-party website asks for their credentials instead of using the SSO authentication the company typically requests.
Strike 3: The website then offers to download its “secure” client instead of using the web portal.
This approach would allow employees to rate the email and take action according to the number of strikes it receives, Hamilton says. In this case, even if the email address appears to be legitimate, the employee can still successfully identify the phishing attack using the scoring approach.
Many employees are already aware of phishing threats, but are they familiar with other attack tactics? The truth is they’re likely not. While many security awareness programs tend to focus their exercises on simulated phishing attacks, threat actors can also take advantage of their clumsy social networking, weak passwords, disabled security controls, or lack of remote security.
This doesn’t mean that the security organization needs to create a “cyber threat awareness” dashboard for employees to understand the cyber risk profile of the business, but security awareness training programs should be versatile, Hamilton suggests.
“It’s not about getting too specific with the tactics being used by attackers, but employees need to be aware of what’s out there from an attack standpoint and the vectors associated with them.”
But, security teams won’t be able to share this valuable information with employees if they don’t access it themselves.
“Having threat intelligence, EDR, anti-virus, IDS/IPS is all part of an ecosystem that will help you identify threats, but if you have that information you need to leverage the data,” says Hamilton.
Access the data, analyze the information, and understand what meaningful attack and threat vector knowledge you can instill in your employees.
The modern-day employee’s online behavior is driven by instant gratification. This causes a significant hurdle when the same routine makes its way into the business’s network. By focusing on the areas outlined above in your security awareness training, you’ll be one step closer to reducing cyber risk in the company.
Providing comprehensive training in an entertaining format that covers the threat vectors within your business will make a big difference in your battle against digital adversaries. A mix of good monitoring, adequate threat detection, and user awareness is a recipe for success in today’s cyber threat climate.
Find out how Trustwave can help your organization by empowering employees to practice secure computing and training developers to build resilient code.
Marcos Colón is the content marketing manager at Trustwave and a former IT security reporter and editor.