November 24, 2014 By Brian Honan 3 min read

Lately, the media has been full of major news stories relating to security breaches at well-known companies. Breaches such as those at Target, Staples and Home Depot have moved security stories from the domain of the information security press into mainstream media stories. The news stories talk of sophisticated attackers using advanced techniques to breach the security of these organizations.

However, are these attacks due to the technical prowess of the attackers or ineffective security awareness programs in those companies? If we look at these breaches more closely, we can identify one common element. That is the human factor. In nearly every security breach actions, either intentional or accidental, by someone in the victim companies led to the security breach.

Study after study also highlights how the human element is a key factor in successful security breaches. The IBM Security Services 2014 Cyber Security Intelligence Index highlights that “95% of all incidents involved some form of “human error”. These errors ranged from clicking on links and attachments in emails, using weak passwords, or using default system settings. Given that many of the breached organizations spent lots of money on security awareness programs, why are we still seeing the human element being such a major contributing factor?

While IT security staff may find information about computer viruses, the latest exploits, and current hacking technique, in reality most people would rather be thinking about something else. They have their own busy work days, deadlines to meet, and a myriad of other demands on their time. In many other cases, the security awareness program has been developed to meet a compliance requirement resulting in the focus being on number of staff attending the awareness session rather than on ensuring the content is relevant to the business and the job roles of the attendees. Finally, most security awareness programs fail because no deliverable s and metrics on their effectiveness have been identified. Simply put, in many cases security awareness programs do not engage staff.

If we look at how road safety campaigns have developed over the years we can see how they’ve progressed from simply making people aware of the rules of the road to modern adverts providing impactful content on why it is important to drive safely. Similar to the old road safety campaigns, simply making staff aware of security issues is not enough to ensure they behave in a secure manner. People have busy work and personal lives and many will look to complete their tasks quickly without thinking about the security implications. As such, we need to move away from a security awareness approach to enabling staff to be more secure, by developing a security engagement program whereby people will become equipped to deal with the security threats they face.

An effective security engagement program should be aligned with the overall business needs and the goals of the organization. The security engagement program should be different for a computer company than it would be for a financial institution or an organization in healthcare. The program should also take into account the cultural aspects of staff located in different offices with a particular focus on localizing the content for staff located in regional offices. A U.S. centric security awareness program will not engage an Asian or European audience. Similarly, the content of the program needs to be targeted at the intended audience. Content and key messages delivered to the sales team should be relevant to their role, as should content for the senior management team, and all other areas in the business. Another way to engage the audience is to use psychological hooks to get the attendees attention, such as highlighting safe online computing use for their own personal use. Good habits developed for personal use will equally apply in the corporate environment.

While criminals will look to exploit security vulnerabilities in applications and systems, they will also look to target weaknesses in the people that use those systems and applications. Aligning security education with the needs of the individual will provide a dynamic security engagement program that will be a key element in ensuring a robust security infrastructure.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today