Are your user security training efforts working? You may have never paused to think about the relationship your users have with your security program. The goal, of course, is to train your users to understand what to watch out for and what to do in a number of tricky situations.
The reality: At most organizations, users often have much more control than they realize. Users continually make security decisions throughout their working days that can lead to impactful security situations on your network.
They may have signed off on your security policies during their initial onboarding — but do they fully understand what’s expected of them? And are you prepared to deal with the consequences?
User Security Training: A Missed Opportunity?
A substantial portion of security events are brought about by untrained (or improperly trained) users. A security training program can help minimize the risk of these incidents. A plan also demonstrates due care. You shouldn’t just slap together an awareness and training program and hope for the best. Take a measured approach: Align your initiatives with your IT and security programs and overall business risks. Then, measure your efforts toward potential improvements.
Do you already have a security awareness and training program in place — but you’re still getting hit? If so, then something’s amiss. Data, such as the 2017 Cost of a Data Breach Study and Privacy Rights Clearinghouse’s Chronology of Data Breaches, reveals many examples of people going through the motions without checking in to see how things are really working.
A solid awareness and training program revolves around setting expectations. Your users have access to information on a need-to-know basis — and they need to know what they should and shouldn’t do. Your human relations team, IT and security staff, executive managers or other involved personnel also need to know what’s going down and how it matches up with the goals of the business. Otherwise, it’s just noise.
User ignorance isn’t the only thing that creates security challenges. All it takes is boredom, curiosity or trouble at home for someone to do something terrible. Furthermore, honest slip-ups can also bring about pain and suffering. But what can you do reduce the impact of these situations? You can’t realistically expect perfection from your users.
Teach Users to Focus, Not Follow
Set your users and business up for success by having compensating controls that can be there for when these things crop up. It’s hard to believe that most companies have yet to deploy a proper patch management system and strong endpoint security controls — but that’s the reality in enterprise today.
A user awareness and training program is not going to prevent all threats, but at least you can show that you were taking the proper steps to address common issues. However, it’s not just about security awareness — it’s also about situational awareness. In other words, it’s not simply people being asked to follow policies blindly. Instead, it’s people being able to think for themselves when presented with trying situations.
A Critical Intersection
On a daily basis, I witness right-turning drivers yielding to vehicles turning left in front of them at an intersection near my home. The right-turning drivers don’t have a yield sign. Still, they yield anyway.
It’s a two-pronged issue:
- These drivers have been conditioned to believe that if they are turning right (and someone is turning in front of them), they should yield. After all, a yield sign is present in many such intersections.
- These drivers are not thinking. They’re simply going through the motions without paying attention to what’s around them.
It’s not only an aggravating situation when you’re behind these drivers who yield in front of you, but it can be downright dangerous for all cars involved. Your users need to be conditioned to do what’s right — but they also need to be paying attention and thinking about their actions. Take this approach to your awareness and training and you can shape user behaviors in positive ways.
The Real Problems at Hand
History has taught us that intentions do not equal results. You cannot take the path of politicians and continue to avoid the real problems at hand. As Brendon Burchard, a performance coach and author, once said on Twitter, “Avoidance is the best short-term strategy to escape conflict and the best long-term strategy to ensure suffering.”
Identify the things in your environment and business culture that are facilitating these user-centric security challenges. The most important question: How? How are users creating IT risks? How are you setting them up for success in addressing those risks? How are we still vulnerable? How can we get to the next level?
If you don’t have a formal security training program in place, get started with some simple steps: emails, lunch-and-learn events, posters and other reminders around the office. If you do have a program in place, but you’re still getting hit with malware infections and failed phishing checks, investigate the cause. Where are the gaps? What are the opportunities for improvement?
There’s always room for improvement in these areas, and it’s up to you to figure out where. Unless (and until) you ratchet up your user awareness and training efforts, they will continue to serve as mere background noise. Sure, it’s not the be-all and end-all solution to your security woes, but such efforts are a vital component. Make sure you’re doing it well.
Listen to the podcast: What’s the Best Defense Against Cyberattacks? You Are
Independent Information Security Consultant
Kevin Beaver is an information security consultant, writer, and professional speaker with Atlanta-based Principle Logic, LLC. With over 29 years of experienc...