People: are they your company’s biggest asset or its greatest liability? asks Javvad Malik, Security Advocate at the IT security and threat intelligence product company AlienVault, pictured.
If you work in security, you’d be forgiven for putting employees in the second category. The huge rise in phishing emails and other social engineering attacks is testament to the fact that, at some point, humans inevitably make mistakes. But does that make employees a lost cause that need not be invested in, or front line soldiers who need to be equipped with training and the latest tools for defense? User behavior and user awareness are frequently cited as concerns by security and technology leaders in the enterprise, but there is a lack of consensus about the role that user behavior plays in the cyber security battle. So how is it best approached?
Awareness or training?
Firstly, it is important to differentiate between user security awareness and user security training. Security training is designed to equip users with basic skills to respond to potential security threats. It can be thought of in terms of first aid training. First-aid practitioners are by no means qualified doctors, but they do possess some basic life-saving skills. User awareness training refers to a more generic and widely applicable programme that can apply to all employees in an enterprise. It does not necessarily equip users with the skills to respond, but it can help users identify where potential threats exist. It can be thought of as being similar to ‘if you see something, say something’ campaigns that are prevalent in many big cities around the world where the general public are asked to report any person or objects that may appear suspicious. User awareness training helps employees be able to recognize when something is not right.
Approaches
At the basic minimum level, security responsibilities and expectations are often laid out to employees during their company inductions, with annual refreshers provided to make sure the lessons have not been forgotten. The material presented is typically developed internally and is specific to a particular company. Organizations which have to provide some form of user awareness or training due to a regulatory or compliance framework tend to adopt a structured platform where educational modules can be tailored for the specific needs of the employees, and which feature a multiple choice quiz at the end of each module to allow results to be ascertained and recorded. Enterprises looking for more proactive learning strategies can use specially designed social engineering and phishing campaigns to test and train their employees. Such campaigns will typically send a phishing email, and if a user clicks on the link it contains, will present them with educational information about the dangers of clicking suspicious links or opening attachments from untrusted sources.
To be successful, programmes need to engage users. CISOs that have rolled out effective awareness campaigns tend not to inflict a yearly ‘death by PowerPoint’ on their staff, and instead focus on developing interactive materials that engage the attention of employees. It’s also important to have clear goals that are in line with your company’s culture, and to decide on these before rolling out a program. Finally, content is important but you must also consider how material is being presented. Successful education programs often utilize content which has been created primarily by marketing, design and communications experts, who can ensure that content is presented in a clear, engaging and memorable way, while subject matter experts vet the content to ensure accuracy.
Building Rome
Teaching users to consistently not click on suspicious links, or open malware-laden attachments, isn’t going to happen overnight. Changing behaviors and replacing bad security habits with good ones takes a long time and requires sustained effort. Environmentalists spent many years educating the public on the dangers of pollution and the need for recycling. Now we’ve finally reached the point where most office buildings have a line of different waste bins to maximise recycling. One challenge that is unique to security education is that bad actors are constantly adapting their strategies to take advantage of human weaknesses. The goalposts are constantly changing. However, if we strive to make our user training programmes engaging and interactive, then we can significantly increase the chances of changing behavior and enabling employees to become the organisation’s front line of defence.
Visit www.alienvault.com.
