Security Awareness Training

The Final Frontier in the Fight against CyberCrime

While the variety and sophistication of cybersecurity technologies has expanded exponentially over the last decade, the ability of organizations to defend themselves against security breaches doesn’t seem to be improving. In fact, most evidence suggests it’s actually getting worse. A 2012 study from HP revealed that the occurrence of cyber attacks has more than doubled over the last three years, with organizations experiencing an average of 102 successful attacks per week in 2012, compared to 50 attacks per week in 2010.

As more business is conducted virtually—on computers and mobile devices— the opportunity for criminals to steal valuable information expands. To date, the information security industry has been primarily focused on using technology to secure information. But not much has been done to secure the human element, and as a result, employees have become the primary attack vector of cybercriminals. In a recent report by PwC, 80 percent of companies surveyed had security breaches caused by employees.

Technologies such as antivirus, firewalls, intrusion detection and behavior- blocking components are undoubtedly essential countermeasures in the fight against cybercrime, but unfortunately nearly every cybersecurity technology engineered to protect computer systems and information can be accidentally circumvented by human interaction.

Information security has always required a delicate balance between usability, cost and strength. Building an impenetrable fortress would not only stifle employee productivity but also be cost prohibitive. In the age of IT consumerization, employee demands for increasing mobility and connectivity have made the challenge of maintaining a balanced approach to security even more difficult— a fact that cybercriminals have been quick to exploit to their advantage.

As cyber attacks are growing in sophistication, with evidence that cyber espionage efforts such as Flame are sponsored by nation states, many observers say corporate America is not doing as much as it should to mitigate the threat. New breeds of sophisticated attacks that target vulnerable employees— such as spearphishing, drive-by downloads, poisoned search engine results and mobile malware—continue to debut in droves, while the effectiveness of countermeasures lag behind.

Based on the sheer volume and velocity of attacks waged against unsuspecting and undereducated employees, it is evident that something must be done to shore up this gaping hole in corporate defenses. Maintaining the status quo is no longer a sustainable option because organizations cannot afford to spend increasing amounts of time, money and energy responding to these types of cyberattacks.

Recognizing that humans are still the weakest link in the security chain, many security officers are re-evaluating their approach to cybersecurity training. Most employee-caused security breaches occur through ignorance rather than malice. The old model of herding employees into a classroom once a year (or upon hire) to sit through the boring, antiquated style of training session that emerged 15 to 20 years ago has proven to be ineffective.

Threats are evolving at a rapid pace as employee adoption of mobile computing and social networking has skyrocketed. The old once-a-year “check box” approach to security training cannot keep pace, nor will the creation of a security policy by itself prevent breaches. Wombat Security Technologies’ own research shows that tried-and-true cyberattack methods, such as relatively simple phishing emails, are still hooking up to 60 percent of employees. It is time for employees to understand the importance of security policies and learn how to put them into practice.

While some argue that employees are incapable of taking an active role in cybersecurity, there is strong evidence that supports the effectiveness of education. Research shows that organizations with well-understood security policies suffer fewer breaches, and companies with an ongoing security awareness program suffer 50 percent less breaches. Security officers who retire their old PowerPoint training presentations in favor of new interactive cybersecurity assessment and awareness training software are seeing positive results, including up to a 70 percent reduction in susceptibility to employee-targeted attacks, which translates to fewer breaches and lower remediation costs.

New software-based training programs easily integrate into dealers’ existing security product and service portfolios to meet this growing demand for more effective training solutions. Integrators, consultants and resellers alike are taking advantage of this trend to drive incremental revenues, increase customer penetration and complement security infrastructure sales.

5 Key Security Training Program Success Factors

Here are some key user education program tactics that our customers use to successfully make people aware of security risks and motivate them to change their behaviors.

Prioritize and focus. Successful security training is a process, not a onetime event. Security training solutions that include analytics help organizations assess human risk factors across multiple attack vectors including email, mobile devices, social networking and passwords. This allows security officers to create a customized training program that addresses the most prevalent or risky employee behaviors first. The best results are achieved by setting realistic goals to modify two or three risky security behaviors at a time. As progress is made, more risks can be addressed with the addition of new training modules.

Make it digestible. Effective security training is about quality, not quantity. Training is better received when it is woven into the daily work routine—using learning science principles to build incremental success using “teachable moments.” In just 10 minutes, interactive software training sessions can measurably reduce employee susceptibility to attacks. With administrative tools that allow security managers to schedule and deploy training modules or mock cyberattacks, security training can be presented in the context that a person will most likely be attacked. When an employee falls for an attack, a quick on-the-spot training session can help him or her better understand the risks and learn how to avoid similar attacks in the future.

Keep them coming back for more. As the mobile app explosion demonstrates, people love games and engaging formats. The best security training solutions use this fact to their advantage. With interactive elements, simulated environments, games featuring memorable characters and engaging scenarios, employees actually look forward to training. This approach allows employees to self-pace learning, practice concepts in multiple contexts and master skills through repetition. Over time, active involvement in the learning process helps employees feel more invested, which ultimately translates to better understanding and lower risk.

Measure the results. Security training platforms collect user data to help training administrators monitor completion of training assignments, assess individual employee performance and measure improvement in terms of peoples’ behaviors and awareness, across the entire organization. Armed with in-depth training intelligence and easy-to-read reports, security officers can track compliance, measure the effectiveness of their security awareness programs and demonstrate positive return on investments.

Continue to adapt. As long as security breaches yield financial or political gains for perpetrators, cyberattacks will continue to proliferate. Security awareness training programs must be designed to address the current spectrum of email, mobile device, social networking and passwordrelated attacks, as well as keep pace with evolving threats. Cloud-based training platforms that feature a wide array of modules and offer new releases in response to shifting cyber attack trends can help security officers create flexible and sustainable security awareness programs.

Long ignored as a strategic ally in the war against cybercrime, employees are ready, willing and able to take up the fight—they just need to understand their mission and be equipped to complete it. While no risk factor can ever be entirely eliminated, companies that implement new interactive approaches to security awareness training are finding that the payout is worth the investment. As employees learn how to identify and report attacks, they become invaluable to both a company’s defensive and offensive security posture. All the metrics prove that security awareness training, when done right, can have a tremendous impact in reducing risk. The human element is truly the final cybersecurity frontier. It’s time to rally the troops.

This article originally appeared in the January 2013 issue of Security Today.

If you like what you see, get more delivered to your inbox weekly.
Click here to subscribe to our free premium content.

comments powered by Disqus

Digital Edition

  • Environmental Protection
  • Occupational Health & Safety
  • Infrastructure Solutions Group
  • School Planning & Managmenet
  • College Planning & Management
  • Campus Security & Life Safety