In the football world, we often hear that the best defense is good offense. Can we also apply that principle to our IT environments and user education initiatives?

The Best Defense

IT leaders must continuously verify and combat new threats, insiders, malware techniques or other forms of attacks. Security analysts are always running to investigate events and flows using software and tools. Obviously, these tools are crucial to help IT professionals organize their initial security programs and later bolster their defenses. But what is the most important attention point for a security team?

The imperative is always the same: Reduce the elapsed time between the violation and the remediation. That requires hard work, especially when privileged users are involved. It also requires a big budget, since reliable software solutions are expensive. There is, however, a more rudimentary yet effective defense mechanism that won’t break the bank: user education.

The Value of User Education

Education is fundamental in every discipline — in ordinary life, at work, and in the context of social groups, relationships and the digital world. Still, IT leaders too often undervalue user education and user behavior analytics (UBA), which creates opportunities for attackers.

In fact, threat actors constantly monitor users’ activities to identify potential vulnerabilities to exploit. Meanwhile, security teams are merely playing defense. But before taking an offensive stand against these threats, organizations must thoroughly train their employees to adopt good security practices.

Think of everyday valuables such as your wallet, smartphone and keys. You always know where they are and how they are being used. Employees must protect their identities, passwords and devices with the same level of vigilance.

This is where security awareness and education initiatives can step in and help. Users need to know how to create complex passwords and change them periodically. Whenever possible, they should use multifactor authentication when logging into sensitive accounts. Furthermore, employees should know which devices they’re expected to use, who else can access them and how they’re secured.

A Breach Is Just a Click Away

As a general rule, users should assume that each mouse click or keystroke represents the origin of a possible attack. They must also establish definitive trust before sharing any sensitive information, the same way they would treat a face-to-face interaction.

Think of traditional mail, for example. First we see the sender address and postal stamp, then we open the envelope and read the letter. We cannot click links, execute commands or open files that might lead to cyberattacks — instead, we must read, read and read again before acting. Users need to apply this principle to their online safety practices.

It seems like an impossible task, but it really isn’t. It’s just a matter of educating users, establishing good habits and spreading awareness — three invaluable security solutions any organization can afford.

More from Identity & Access

How to Keep Your Secrets Safe: A Password Primer

There are two kinds of companies in the world: those that have been breached by criminals, and those that have been breached and don't know it yet. Criminals are relentless. Today’s cyberattacks have evolved into high-level espionage perpetrated by robust criminal organizations or nation-states. In the era of software as a service (SaaS), enterprise data is more likely to be stored on the cloud rather than on prem. Using sophisticated cloud scanning software, criminals can breach an enterprise system within…

Making the Leap: The Risks and Benefits of Passwordless Authentication

The password isn't going anywhere. Passwordless authentication is gaining momentum, though. It appears to be winning the battle of how companies are choosing to log in. Like it or not, the security industry must contend with both in the future.  But for some businesses and agencies, going passwordless is the clear strategy. Microsoft, for instance, has recently stopped forcing users to use a password to access their account, which allows access to a wide range of Microsoft business and personal…

Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments

While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM Security X-Force data reveals that many cloud-adopting businesses are falling behind on basic security best practices, introducing more risk to their organizations. Shedding light on…

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be achieved after successfully rolling out an identity strategy. They all talk about reduction in friction, improving users' perception of the…