Are your user security training efforts working? You may have never paused to think about the relationship your users have with your security program. The goal, of course, is to train your users to understand what to watch out for and what to do in a number of tricky situations.

The reality: At most organizations, users often have much more control than they realize. Users continually make security decisions throughout their working days that can lead to impactful security situations on your network.

They may have signed off on your security policies during their initial onboarding — but do they fully understand what’s expected of them? And are you prepared to deal with the consequences?

User Security Training: A Missed Opportunity?

A substantial portion of security events are brought about by untrained (or improperly trained) users. A security training program can help minimize the risk of these incidents. A plan also demonstrates due care. You shouldn’t just slap together an awareness and training program and hope for the best. Take a measured approach: Align your initiatives with your IT and security programs and overall business risks. Then, measure your efforts toward potential improvements.

Do you already have a security awareness and training program in place — but you’re still getting hit? If so, then something’s amiss. Data, such as the 2017 Cost of a Data Breach Study and Privacy Rights Clearinghouse’s Chronology of Data Breaches, reveals many examples of people going through the motions without checking in to see how things are really working.

A solid awareness and training program revolves around setting expectations. Your users have access to information on a need-to-know basis — and they need to know what they should and shouldn’t do. Your human relations team, IT and security staff, executive managers or other involved personnel also need to know what’s going down and how it matches up with the goals of the business. Otherwise, it’s just noise.

User ignorance isn’t the only thing that creates security challenges. All it takes is boredom, curiosity or trouble at home for someone to do something terrible. Furthermore, honest slip-ups can also bring about pain and suffering. But what can you do reduce the impact of these situations? You can’t realistically expect perfection from your users.

Teach Users to Focus, Not Follow

Set your users and business up for success by having compensating controls that can be there for when these things crop up. It’s hard to believe that most companies have yet to deploy a proper patch management system and strong endpoint security controls — but that’s the reality in enterprise today.

A user awareness and training program is not going to prevent all threats, but at least you can show that you were taking the proper steps to address common issues. However, it’s not just about security awareness — it’s also about situational awareness. In other words, it’s not simply people being asked to follow policies blindly. Instead, it’s people being able to think for themselves when presented with trying situations.

A Critical Intersection

On a daily basis, I witness right-turning drivers yielding to vehicles turning left in front of them at an intersection near my home. The right-turning drivers don’t have a yield sign. Still, they yield anyway.

It’s a two-pronged issue:

  • These drivers have been conditioned to believe that if they are turning right (and someone is turning in front of them), they should yield. After all, a yield sign is present in many such intersections.
  • These drivers are not thinking. They’re simply going through the motions without paying attention to what’s around them.

It’s not only an aggravating situation when you’re behind these drivers who yield in front of you, but it can be downright dangerous for all cars involved. Your users need to be conditioned to do what’s right — but they also need to be paying attention and thinking about their actions. Take this approach to your awareness and training and you can shape user behaviors in positive ways.

The Real Problems at Hand

History has taught us that intentions do not equal results. You cannot take the path of politicians and continue to avoid the real problems at hand. As Brendon Burchard, a performance coach and author, once said on Twitter, “Avoidance is the best short-term strategy to escape conflict and the best long-term strategy to ensure suffering.”

Identify the things in your environment and business culture that are facilitating these user-centric security challenges. The most important question: How? How are users creating IT risks? How are you setting them up for success in addressing those risks? How are we still vulnerable? How can we get to the next level?

If you don’t have a formal security training program in place, get started with some simple steps: emails, lunch-and-learn events, posters and other reminders around the office. If you do have a program in place, but you’re still getting hit with malware infections and failed phishing checks, investigate the cause. Where are the gaps? What are the opportunities for improvement?

There’s always room for improvement in these areas, and it’s up to you to figure out where. Unless (and until) you ratchet up your user awareness and training efforts, they will continue to serve as mere background noise. Sure, it’s not the be-all and end-all solution to your security woes, but such efforts are a vital component. Make sure you’re doing it well.

Listen to the podcast: What’s the Best Defense Against Cyberattacks? You Are

More from CISO

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read