Strengthening the Human FirewallBy: Dane Boyd
How Security Awareness Training Can Help Protect Your Organization
Many high profile security breaches occur when hackers target an organization's weakest link: its people. Lack of basic information security awareness among employees has resulted in stolen organizational materials, intellectual property, and money.
Hackers don't need to attack your organization directly – they can access vulnerabilities through partner groups as well because the weakness is the same – a lack of information security awareness among its employees. The impact to an organization's finances, reputation, and operations cannot be ignored. Targeting the human element is a trend that SecureWorks researchers and incident responders have observed increasing in popularity by hackers world-wide, from sophisticated state-sponsored groups to novice hackers.
Your Cyber Security "Tools' Don't Always Work
Relying exclusively on technology will leave you exposed, especially when no single tool can stop phishing attacks 100 percent of the time. In fact, even the best anti-malware scanners only detect 45 percent of attacks.[i] The number of Internet users who faced phishing attacks in 2013 has grown from 19.9 million to 37.3 million, an increase of 87 percent.[ii] The sheer breadth and complexity of phishing may make it seem insurmountable.
We advocate a "defense-in-depth' strategy – and with the increase of phishing attacks, it is more important than ever to incorporate your employees in your organization's defense strategy. By arming your employees with sound understanding of the problem and how they can resist it, leaders effectively deputize their staff as part of this war against threat actors while strengthening the human firewall.
Benefits of Security Awareness Training
According to Trend Micro's research report, 91 percent of targeted attacks involve spear phishing emails, but with a well-prepared staff, these attacks are less likely to result in compromised data.[iii] A strong human firewall can be achieved through a well-organized and effective security awareness training (SAT) program. The purpose of implementing security awareness training in your organization should not be obtaining compliance; rather it should be changing user behavior to mitigate risk. When implemented properly, security awareness training inspires employee vigilance, effectively shrinking the attackable surface of your business.
Conceptually, you may agree, but the details are where many organizations or individual contributors struggle. Many agree on the "why' but disagree on the "how.'
6 Security Awareness Training Tips
Make Training a Priority for the Whole Organization
Cyber security training must be available (and required) for everyone in the organization, not just for the IT department. Make sure that all employees at all levels are aware of and understand the phishing and social engineering threats that target their particular roles, even those in the C-Suite.
Maximize Impact by Minimizing the Duration
Attention spans are limited so training content needs to be limited too. By creating several training sessions that are short, you can reinforce the previously taught security principles while continuing to expand the users' knowledge. This mirrors the way we naturally learn.
Replicate Battlefield Conditions with Simulations
Classroom- and computer-based training can have limited impact when used on their own. Users get more value when they can put the principles into action. By creating blind simulations, where the recipients/participants are unaware that the scenario is a simulation, they have a chance to practice what has been taught. Phishing or social engineering simulations can act as an effective and impactful learning exercise.
Consequences Count Too!
Newton observed that "for every action, there is an equal and opposite reaction.' A security awareness training program without its corresponding consequences will be ineffective. Don't be swayed by the word consequence – consequences are simply what follow another action and can be good or bad. Rewarding employees who participate and are vigilant is one way to encourage better behavior. Make sure to find what works in your organization's culture is important.
Grow in Steps with Realistic Goals
A security awareness training program is as much a paradigm shift as it is a program. The goal should be to change the way employees see the online world which changes their behavior. This paradigm shift will not happen overnight. Set realistic goals regarding how you will expand or improve your awareness program. If you have computer-based training now, start incorporating in-person training or add an element of phishing or social engineering to provide practical experience.
Leverage Resources When Needed
Not many organizations have qualified staff with extra time and resources. Many organizations purchase training tools that never get used. Leverage outside experts to gain economies of scale and expertise to supplement your security awareness program.
Need Help Implementing a Security Awareness Training Program?
SecureWorks' Security Awareness Training Solutions provide the tools necessary for proper network and cyber security training for your employees. In case you missed it, check out our webcast, "What Your Employees Don't Know Can Hurt You' to learn more actionable recommendations your organization can implement to reduce its risk.
Whether you are in need of a platform to provide self-directed security awareness training; an in-depth analysis of how your employees are currently performing against phishing threats; or a customized program specific to your organization, we are here to help.
Contact an Information Security Consultant at SecureWorks to further discuss training your employees and protecting your organization.