Every employee in a company, from the CEO down, must be invested in security awareness training to avoid human error and other potential incidents.
Every user, whether they are the bane of the IT department or one that is security-savvy, has something to contribute to the business and its cybersecurity. This is an important point that leads directly into our designated topic: security awareness training. Every employee, from the CEO down, must be invested in security awareness training. If executives do not attend, claiming to be too occupied with the Big Picture to focus on trivialities, then IT are within their rights to administer a severe beating. Or, they should be.
When senior executives and department managers do not buy into the importance of cybersecurity awareness, they are leading by example in a negative way. In fact, some IT teams spend more time supporting clueless execs than concentrating on their subordinates. It’s time for a change.
What is the biggest problem in cybersecurity?
No, it’s not ransomware or increasing numbers and complexity of attacks- although these are important factors.
“I would say that humans are the biggest problem, because they are the weakest link. It is true and quite normal that humans make mistakes,” said Sorin Mustaca, CSSLP, Security+, Project+, an independent IT security consultant.
However, some human errors do not deserve to be classified as such.
“For example, here are a few problems, which I do not consider errors: clicking on phishing links, executing attachments in emails, using the same simple password everywhere and delegating security responsibility to others. These are not errors caused by humans, they are just the effects of a lack of awareness and training and sometimes just plain and simple ignorance,” suggested Mustaca.
Rather than drone on about the essential nature of security awareness training, let’s consider that a given. If such training takes place on a regular basis, why do users continue to be overwhelmed by it and still make the same mistakes?
Perhaps timing is a factor?
“Performing training after an incident (breach, ransomware, etc.) will make this more urgent, but there is the “lesson learned” effect, which in my opinion will force everyone to focus on what happened and not on what can additionally happen,” said Mustaca.
Of course, preventative training is the goal rather than waiting for a breach. Unfortunately, there are barriers.
“As with any training involving humans, it has its limitations. There is a point where people need to start thinking and applying the knowledge gained in practice sessions, whether these involve identifying sample phishing or ransomware attacks,” said Mustaca, adding that consistent commonsense and logical methods are key to success.
Mustaca also highlighted that the amount users can absorb depends on whether or not they were breached and if the training has a practical part or not.
“If you show non-technical users how ransomware affects computers and their data, it has a different effect than if you only tell them that their files are destroyed or inaccessible,” said Mustaca.
Technology can help, but Mustaca advises companies to be wary of snake oil sales tactics, as there is no such thing as a 100 percent effective cybersecurity solution.
Technology Enters the Arena
If you hear that a product is guaranteed to prevent a breach, you can assume the marketing team is full of something (and it isn’t knowledge!).
“Unfortunately, there are more and more security companies out there which have a bigger marketing department than R&D. They have no problem in saying that they can offer protection against anything. Users should be careful when they read something like this and not blindly trust such marketing messages,” advised Mustaca.
Technology is a tool and is only effective when configured and maintained by professionals. So unfortunately, data is typically a target of cybercriminals. Therefore, it is a logical step to assume you need to protect that data as best you can. Take Ipswitch’s MoveIT secure file transfer solutions as an example. Secure end-to-end encryption is possible, both whether data is at rest or in transit, and if the data transport occurs in the cloud, on mobile, via the Web or by email. With PCI and HIPAA compliance added features, so far nothing has directly connected to security awareness training, right? It’s a self-serving and shameless plug. Hardly.
The admin features allow fine control of access management, meaning you control who has access to important data and when. In addition, it gives IT transparency on who accessed which data at any given time. This is especially useful when determining which users require additional training.
Of course, solutions like these need to work in tandem with security awareness training sessions. Technology alone is not the answer. Furthermore, eliminating all human errors is not a failsafe solution either. Both run the risk of failure if a new variant of ransomware or phishing emails emerges, which are all too common these days.
And the Solution is…
In conclusion, companies need to continue with security awareness training and include practical examples of common security threats. There are many possible incentives to encourage training. The company could have a sandbox environment for identifying suspect files. For example, offering monetary rewards, awards, or bragging rights to employees who identify the most potential threats could spur enthusiasm. What’s most important is that random penetration tests could test the security awareness of all users, but in a way that does not cause an actual breach. How nice would it be to point out that the CEO makes more mistakes than all other users put together? Hours of fun, guaranteed.
If the mystery is removed from cybersecurity for all users, they are far less likely to be intimidated or overwhelmed by it. As your employees are, in many ways, the security gatekeepers, surely it makes sense to arm them in the manner needed to protect your company.