In the football world, we often hear that the best defense is good offense. Can we also apply that principle to our IT environments and user education initiatives?

The Best Defense

IT leaders must continuously verify and combat new threats, insiders, malware techniques or other forms of attacks. Security analysts are always running to investigate events and flows using software and tools. Obviously, these tools are crucial to help IT professionals organize their initial security programs and later bolster their defenses. But what is the most important attention point for a security team?

The imperative is always the same: Reduce the elapsed time between the violation and the remediation. That requires hard work, especially when privileged users are involved. It also requires a big budget, since reliable software solutions are expensive. There is, however, a more rudimentary yet effective defense mechanism that won’t break the bank: user education.

The Value of User Education

Education is fundamental in every discipline — in ordinary life, at work, and in the context of social groups, relationships and the digital world. Still, IT leaders too often undervalue user education and user behavior analytics (UBA), which creates opportunities for attackers.

In fact, threat actors constantly monitor users’ activities to identify potential vulnerabilities to exploit. Meanwhile, security teams are merely playing defense. But before taking an offensive stand against these threats, organizations must thoroughly train their employees to adopt good security practices.

Think of everyday valuables such as your wallet, smartphone and keys. You always know where they are and how they are being used. Employees must protect their identities, passwords and devices with the same level of vigilance.

This is where security awareness and education initiatives can step in and help. Users need to know how to create complex passwords and change them periodically. Whenever possible, they should use multifactor authentication when logging into sensitive accounts. Furthermore, employees should know which devices they’re expected to use, who else can access them and how they’re secured.

A Breach Is Just a Click Away

As a general rule, users should assume that each mouse click or keystroke represents the origin of a possible attack. They must also establish definitive trust before sharing any sensitive information, the same way they would treat a face-to-face interaction.

Think of traditional mail, for example. First we see the sender address and postal stamp, then we open the envelope and read the letter. We cannot click links, execute commands or open files that might lead to cyberattacks — instead, we must read, read and read again before acting. Users need to apply this principle to their online safety practices.

It seems like an impossible task, but it really isn’t. It’s just a matter of educating users, establishing good habits and spreading awareness — three invaluable security solutions any organization can afford.

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today