Are your user security training efforts working? You may have never paused to think about the relationship your users have with your security program. The goal, of course, is to train your users to understand what to watch out for and what to do in a number of tricky situations.

The reality: At most organizations, users often have much more control than they realize. Users continually make security decisions throughout their working days that can lead to impactful security situations on your network.

They may have signed off on your security policies during their initial onboarding — but do they fully understand what’s expected of them? And are you prepared to deal with the consequences?

User Security Training: A Missed Opportunity?

A substantial portion of security events are brought about by untrained (or improperly trained) users. A security training program can help minimize the risk of these incidents. A plan also demonstrates due care. You shouldn’t just slap together an awareness and training program and hope for the best. Take a measured approach: Align your initiatives with your IT and security programs and overall business risks. Then, measure your efforts toward potential improvements.

Do you already have a security awareness and training program in place — but you’re still getting hit? If so, then something’s amiss. Data, such as the 2017 Cost of a Data Breach Study and Privacy Rights Clearinghouse’s Chronology of Data Breaches, reveals many examples of people going through the motions without checking in to see how things are really working.

A solid awareness and training program revolves around setting expectations. Your users have access to information on a need-to-know basis — and they need to know what they should and shouldn’t do. Your human relations team, IT and security staff, executive managers or other involved personnel also need to know what’s going down and how it matches up with the goals of the business. Otherwise, it’s just noise.

User ignorance isn’t the only thing that creates security challenges. All it takes is boredom, curiosity or trouble at home for someone to do something terrible. Furthermore, honest slip-ups can also bring about pain and suffering. But what can you do reduce the impact of these situations? You can’t realistically expect perfection from your users.

Teach Users to Focus, Not Follow

Set your users and business up for success by having compensating controls that can be there for when these things crop up. It’s hard to believe that most companies have yet to deploy a proper patch management system and strong endpoint security controls — but that’s the reality in enterprise today.

A user awareness and training program is not going to prevent all threats, but at least you can show that you were taking the proper steps to address common issues. However, it’s not just about security awareness — it’s also about situational awareness. In other words, it’s not simply people being asked to follow policies blindly. Instead, it’s people being able to think for themselves when presented with trying situations.

A Critical Intersection

On a daily basis, I witness right-turning drivers yielding to vehicles turning left in front of them at an intersection near my home. The right-turning drivers don’t have a yield sign. Still, they yield anyway.

It’s a two-pronged issue:

  • These drivers have been conditioned to believe that if they are turning right (and someone is turning in front of them), they should yield. After all, a yield sign is present in many such intersections.
  • These drivers are not thinking. They’re simply going through the motions without paying attention to what’s around them.

It’s not only an aggravating situation when you’re behind these drivers who yield in front of you, but it can be downright dangerous for all cars involved. Your users need to be conditioned to do what’s right — but they also need to be paying attention and thinking about their actions. Take this approach to your awareness and training and you can shape user behaviors in positive ways.

The Real Problems at Hand

History has taught us that intentions do not equal results. You cannot take the path of politicians and continue to avoid the real problems at hand. As Brendon Burchard, a performance coach and author, once said on Twitter, “Avoidance is the best short-term strategy to escape conflict and the best long-term strategy to ensure suffering.”

Identify the things in your environment and business culture that are facilitating these user-centric security challenges. The most important question: How? How are users creating IT risks? How are you setting them up for success in addressing those risks? How are we still vulnerable? How can we get to the next level?

If you don’t have a formal security training program in place, get started with some simple steps: emails, lunch-and-learn events, posters and other reminders around the office. If you do have a program in place, but you’re still getting hit with malware infections and failed phishing checks, investigate the cause. Where are the gaps? What are the opportunities for improvement?

There’s always room for improvement in these areas, and it’s up to you to figure out where. Unless (and until) you ratchet up your user awareness and training efforts, they will continue to serve as mere background noise. Sure, it’s not the be-all and end-all solution to your security woes, but such efforts are a vital component. Make sure you’re doing it well.

Listen to the podcast: What’s the Best Defense Against Cyberattacks? You Are

More from CISO

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…