Light Dark
May 25, 2018 By Kevin Beaver 4 min read
Risk Management
CISO

Are your user security training efforts working? You may have never paused to think about the relationship your users have with your security program. The goal, of course, is to train your users to understand what to watch out for and what to do in a number of tricky situations.

The reality: At most organizations, users often have much more control than they realize. Users continually make security decisions throughout their working days that can lead to impactful security situations on your network.

They may have signed off on your security policies during their initial onboarding — but do they fully understand what’s expected of them? And are you prepared to deal with the consequences?

User Security Training: A Missed Opportunity?

A substantial portion of security events are brought about by untrained (or improperly trained) users. A security training program can help minimize the risk of these incidents. A plan also demonstrates due care. You shouldn’t just slap together an awareness and training program and hope for the best. Take a measured approach: Align your initiatives with your IT and security programs and overall business risks. Then, measure your efforts toward potential improvements.

Do you already have a security awareness and training program in place — but you’re still getting hit? If so, then something’s amiss. Data, such as the 2017 Cost of a Data Breach Study and Privacy Rights Clearinghouse’s Chronology of Data Breaches, reveals many examples of people going through the motions without checking in to see how things are really working.

A solid awareness and training program revolves around setting expectations. Your users have access to information on a need-to-know basis — and they need to know what they should and shouldn’t do. Your human relations team, IT and security staff, executive managers or other involved personnel also need to know what’s going down and how it matches up with the goals of the business. Otherwise, it’s just noise.

User ignorance isn’t the only thing that creates security challenges. All it takes is boredom, curiosity or trouble at home for someone to do something terrible. Furthermore, honest slip-ups can also bring about pain and suffering. But what can you do reduce the impact of these situations? You can’t realistically expect perfection from your users.

Teach Users to Focus, Not Follow

Set your users and business up for success by having compensating controls that can be there for when these things crop up. It’s hard to believe that most companies have yet to deploy a proper patch management system and strong endpoint security controls — but that’s the reality in enterprise today.

A user awareness and training program is not going to prevent all threats, but at least you can show that you were taking the proper steps to address common issues. However, it’s not just about security awareness — it’s also about situational awareness. In other words, it’s not simply people being asked to follow policies blindly. Instead, it’s people being able to think for themselves when presented with trying situations.

A Critical Intersection

On a daily basis, I witness right-turning drivers yielding to vehicles turning left in front of them at an intersection near my home. The right-turning drivers don’t have a yield sign. Still, they yield anyway.

It’s a two-pronged issue:

  • These drivers have been conditioned to believe that if they are turning right (and someone is turning in front of them), they should yield. After all, a yield sign is present in many such intersections.
  • These drivers are not thinking. They’re simply going through the motions without paying attention to what’s around them.

It’s not only an aggravating situation when you’re behind these drivers who yield in front of you, but it can be downright dangerous for all cars involved. Your users need to be conditioned to do what’s right — but they also need to be paying attention and thinking about their actions. Take this approach to your awareness and training and you can shape user behaviors in positive ways.

The Real Problems at Hand

History has taught us that intentions do not equal results. You cannot take the path of politicians and continue to avoid the real problems at hand. As Brendon Burchard, a performance coach and author, once said on Twitter, “Avoidance is the best short-term strategy to escape conflict and the best long-term strategy to ensure suffering.”

Identify the things in your environment and business culture that are facilitating these user-centric security challenges. The most important question: How? How are users creating IT risks? How are you setting them up for success in addressing those risks? How are we still vulnerable? How can we get to the next level?

If you don’t have a formal security training program in place, get started with some simple steps: emails, lunch-and-learn events, posters and other reminders around the office. If you do have a program in place, but you’re still getting hit with malware infections and failed phishing checks, investigate the cause. Where are the gaps? What are the opportunities for improvement?

There’s always room for improvement in these areas, and it’s up to you to figure out where. Unless (and until) you ratchet up your user awareness and training efforts, they will continue to serve as mere background noise. Sure, it’s not the be-all and end-all solution to your security woes, but such efforts are a vital component. Make sure you’re doing it well.

Listen to the podcast: What’s the Best Defense Against Cyberattacks? You Are

Kevin Beaver
Independent Information Security Consultant

More from Risk Management
April 24, 2024

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

April 17, 2024

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature