Security Awareness Training
The Final Frontier in the Fight against CyberCrime
- By Joe Ferrara
- Jan 01, 2013
While the variety and sophistication of cybersecurity technologies
has expanded exponentially over the last decade,
the ability of organizations to defend themselves against security
breaches doesn’t seem to be improving. In fact, most
evidence suggests it’s actually getting worse. A 2012 study from HP revealed
that the occurrence of cyber attacks has more than doubled over the last three
years, with organizations experiencing an average of 102 successful attacks
per week in 2012, compared to 50 attacks per week in 2010.
As more business is conducted virtually—on computers and mobile devices—
the opportunity for criminals to steal valuable information expands. To
date, the information security industry has been primarily focused on using
technology to secure information. But not much has been done to secure the
human element, and as a result, employees have become the primary attack
vector of cybercriminals. In a recent report by PwC, 80 percent of companies
surveyed had security breaches caused by employees.
Technologies such as antivirus, firewalls, intrusion detection and behavior-
blocking components are undoubtedly essential countermeasures in the
fight against cybercrime, but unfortunately nearly every cybersecurity technology
engineered to protect computer systems and information can be accidentally
circumvented by human interaction.
Information security has always required a delicate balance between usability,
cost and strength. Building an impenetrable fortress would not only stifle
employee productivity but also be cost prohibitive. In the age of IT consumerization,
employee demands for increasing mobility and connectivity have made
the challenge of maintaining a balanced approach to security even more difficult—
a fact that cybercriminals have been quick to exploit to their advantage.
As cyber attacks are growing in sophistication, with evidence that cyber
espionage efforts such as Flame are sponsored by nation states, many observers
say corporate America is not doing as much as it should to mitigate the
threat. New breeds of sophisticated attacks that target vulnerable employees—
such as spearphishing, drive-by downloads, poisoned search engine results
and mobile malware—continue to debut in droves, while the effectiveness of
countermeasures lag behind.
Based on the sheer volume and velocity of attacks waged against unsuspecting
and undereducated employees, it is evident that something must be
done to shore up this gaping hole in corporate defenses. Maintaining the status
quo is no longer a sustainable option because organizations cannot afford
to spend increasing amounts of time, money and energy responding to these
types of cyberattacks.
Recognizing that humans are still the weakest link in the security chain,
many security officers are re-evaluating their approach to cybersecurity training.
Most employee-caused security breaches occur through ignorance rather
than malice. The old model of herding employees into a classroom once a year
(or upon hire) to sit through the boring, antiquated style of training session
that emerged 15 to 20 years ago has proven to be ineffective.
Threats are evolving at a rapid pace as employee adoption of mobile computing
and social networking has skyrocketed. The old once-a-year “check
box” approach to security training cannot keep pace, nor will the creation of
a security policy by itself prevent breaches. Wombat Security Technologies’
own research shows that tried-and-true cyberattack methods, such as relatively
simple phishing emails, are still hooking up to 60 percent of employees.
It is time for employees to understand the importance of security policies and
learn how to put them into practice.
While some argue that employees are incapable of taking an active role in
cybersecurity, there is strong evidence that supports the effectiveness of education.
Research shows that organizations with well-understood security policies
suffer fewer breaches, and companies with an ongoing security awareness
program suffer 50 percent less breaches. Security officers who retire their old
PowerPoint training presentations in favor of new interactive cybersecurity
assessment and awareness training software are seeing positive results, including
up to a 70 percent reduction in susceptibility to employee-targeted
attacks, which translates to fewer breaches and lower remediation costs.
New software-based training programs easily integrate into dealers’ existing
security product and service portfolios to meet this growing demand for
more effective training solutions. Integrators, consultants and resellers alike
are taking advantage of this trend to drive incremental revenues, increase customer
penetration and complement security infrastructure sales.
5 Key Security Training Program Success Factors
Here are some key user education program tactics that our customers use to
successfully make people aware of security risks and motivate them to change
Prioritize and focus. Successful security training is a process, not a onetime
event. Security training solutions that include analytics help organizations
assess human risk factors across multiple attack vectors including email,
mobile devices, social networking and passwords. This allows security officers
to create a customized training program that addresses the most prevalent or
risky employee behaviors first. The best results are achieved by setting realistic
goals to modify two or three risky security behaviors at a time. As progress is
made, more risks can be addressed with the addition of new training modules.
Make it digestible. Effective security training is about
quality, not quantity. Training is better received when
it is woven into the daily work routine—using learning
science principles to build incremental success using
“teachable moments.” In just 10 minutes, interactive software
training sessions can measurably reduce employee
susceptibility to attacks. With administrative tools that
allow security managers to schedule and deploy training
modules or mock cyberattacks, security training can be
presented in the context that a person will most likely be
attacked. When an employee falls for an attack, a quick
on-the-spot training session can help him or her better
understand the risks and learn how to avoid similar attacks
in the future.
Keep them coming back for more. As the mobile app
explosion demonstrates, people love games and engaging
formats. The best security training solutions use this fact
to their advantage. With interactive elements, simulated
environments, games featuring memorable characters
and engaging scenarios, employees actually look forward
to training. This approach allows employees to self-pace
learning, practice concepts in multiple contexts and master
skills through repetition. Over time, active involvement
in the learning process helps employees feel more
invested, which ultimately translates to better understanding
and lower risk.
Measure the results. Security training platforms collect
user data to help training administrators monitor
completion of training assignments, assess individual employee
performance and measure improvement in terms
of peoples’ behaviors and awareness, across the entire organization.
Armed with in-depth training intelligence and
easy-to-read reports, security officers can track compliance,
measure the effectiveness of their security awareness
programs and demonstrate positive return on investments.
Continue to adapt. As long as security breaches yield financial
or political gains for perpetrators, cyberattacks will
continue to proliferate. Security awareness training programs
must be designed to address the current spectrum
of email, mobile device, social networking and passwordrelated
attacks, as well as keep pace with evolving threats.
Cloud-based training platforms that feature a wide array
of modules and offer new releases in response to shifting
cyber attack trends can help security officers create flexible
and sustainable security awareness programs.
Long ignored as a strategic ally in the war against cybercrime,
employees are ready, willing and able to take
up the fight—they just need to understand their mission
and be equipped to complete it. While no risk factor can
ever be entirely eliminated, companies that implement
new interactive approaches to security awareness training
are finding that the payout is worth the investment.
As employees learn how to identify and report attacks,
they become invaluable to both a company’s defensive
and offensive security posture. All the metrics prove that
security awareness training, when done right, can have a
tremendous impact in reducing risk. The human element
is truly the final cybersecurity frontier. It’s time to rally
This article originally appeared in the January 2013 issue of Security Today.