IT projects are most effective when they take into account people, processes, and technology. These three components should be addressed concurrently so the organization can get the maximum benefit from security initiatives when they are rolled out. Unfortunately, while companies tend to address the hardware/software and process aspects, many stop short of the trifecta, viewing employee awareness training as “nice to have” but not necessary.
Especially when budgets are tight, companies choose to educate staff informally if at all. This approach is rarely effective. Organizations often pay the price many times over when a lack of employee security awareness leads to incidents that require time and money to detect, assess, and mitigate.
The reality is that the human element has always been, and will always be, the most challenging aspect of security. Whether staff members intentionally skirt security measures that they feel inhibit productivity or inadvertently take actions that open the digital door to bad actors, people are the proverbial weak link. And cybercriminals know that it is much easier to defeat a person than it is to defeat technology.
Training: The key to winning the cybersecurity battle
In the face of escalating cyberattacks, every company should perform ongoing employee awareness training. To be effective, a program must:
- Have clearly articulated goals
- Use well-defined success metrics
- Have executive support
- Be developed from an in-depth understanding of employee roles.
Internal IT or training staff can perform the training, or companies can utilize the expertise of security consulting services providers. There are some advantages to working with a third party who specializes in security. One is that they have access to the latest information on threats and countermeasures. Another is that doing so leaves internal resources free to focus on projects designed to deliver business outcomes. And finally, bringing in outside resources tends to underscore the importance of the material presented.
The objectives of an employee training program should include:
- Educating staff on security policies and risks
- Outlining behaviors that must be established or eliminated
- Explaining the ramifications (to the company and employees) of failure to follow security protocols.
The program should provide education commensurate with an employee’s responsibilities, and should be ongoing. “One and done” training provided when a new security system is first implemented is not effective long-term. Employee awareness training should be broken into segments of 10-15 minutes. This makes it easy to consume and more likely to hold an attendee’s interest. The goal is to keep them wanting more information and seeing security as an ongoing priority.
Following the completion of a new security program rollout and training, periodic social engineering penetration testing can help decision makers determine the efficacy of the training program.
Please hack me
One of the most telling measures of the need for employee training comes in the form of what are called “please hack me” tests. This type of social engineering penetration testing involves someone – typically the security consulting services provider – impersonating a bad actor and sending an email to staff members.
The email contains custom-built malware that is launched if the recipient clicks a link. Not only is a click recorded as a failure to follow security protocols, the malware can capture an image of the recipient’s desktop at that moment to help the company determine if certain conditions (personal web surfing, for example) make employees more susceptible to attacks. The malware can even activate the computer’s web camera to provide more context. All of the information gathered is included in a grading report provided to management.
Other types of tests to probe vulnerabilities can be conducted as well. USB flash drives containing custom malware can be sent to employees or simply left in common areas. Connecting them to a computer produces the same results as the email security test. And in the most personal form of testing, a phone call can be placed to an employee with the caller impersonating a company executive needing assistance in accessing sensitive information.
The results of this type of testing are very eye-opening for most companies. Prior to receiving their score, organizations often feel they have no data that cybercriminals would find valuable, and therefore they believe they are “secure through being obscure.” It only takes one “breach” in a testing scenario to dispel that notion, as they begin to consider what a bad actor could access as a result of their porous security perimeter.
The future of employee awareness security training and testing
There is a clear trend in business toward devoting more resources to security initiatives, and committing to employee education and testing. As a result, new forms of training are being developed to replace the old approach of simply making a slide deck available on the company intranet and asking employees to sign off that they have reviewed it.
Gamification is one recent addition to the security training toolkit. Bringing a competitive aspect to employee education has proven very successful. Companies are also emphasizing to their staff that the lessons learned on the job can help them do a better job of securing their personal information at home. New forms of “please hack me” tests are continually being devised.
Ultimately, companies that are willing to invest in security initiatives that consider people, processes, and technology stand the best chance of staying ahead of cybercriminals.