Multilayered Security Part IV- End User Training
End user training, the final component of our series on multilayered security, is arguably the most critical facet of a well-oiled digital security program. Employees are by and large the biggest threat to cybersecurity, statistically accounting for the majority of breaches every year.
And employees unintentionally misuse internal systems more than you’d expect. Just one employee clicking the wrong link can put entire systems and stores of data at risk.
To maintain proper cybersecurity vigilance, end users must be trained to spot red flags:
Malware – Malicious programs including viruses, worms, adware, etc. that infect systems, applications and data. Malware is constantly changing, requiring up-to-date knowledge on their behaviors.
Social Engineering– Manipulating end users through personal appeals to surrender data or passwords. Common examples include emails from friends, messages on social media, and bogus links from trusted sources, to name a few.
Phishing– Phishing involves malicious parties posing as legitimate institutions to gain access to data via passwords, account information, and personal information through text messages, emails, and even phone calls.
Password Sharing– Password sharing often begins in innocent scenarios but can quickly compromise internal systems by both intentional and unintentional users.
Insecure Networks– Logging onto an insecure network can have disastrous and sometimes strikingly immediate consequences. Remember the guy who lost $155K in Bitcoin after logging onto a public Wi-Fi network at a restaurant? In the case of employees, insecure networks are most often accessed by personal devices, a topic discussed later, whose use must be monitored under specific guidelines to prevent security breaches.
To get a good grasp at the scope of the problem, consider the Wombat 2018 Beyond the Phish® Report, an in-depth analysis of cybersecurity issues plaguing businesses that uses a survey of 85 million questions posed to end users, revealing key vulnerabilities across 16 industries and 12 categories.
“As we come off a successful week at RSA Conference, the 2018 Beyond the Phish® Report again illustrates the importance of combining the use of assessments and training across many cybersecurity topic areas, including phishing prevention. Our hope is that by sharing this data, infosec professionals will think more about the ways they are evaluating vulnerabilities within their organizations and recognize the opportunity they have to better equip employees to apply cybersecurity best practices and, as a result, better manage end-user risk.” Joe Ferrara, Wombat General Manager
The Report identifies gaps in employee cybersecurity knowledge versus actual practice, and the numbers are alarming:
- The Protecting Confidential Information category featured the worst end user performance, with a staggering 25% of questions missed. This category covers compliance-related topics, including requirements related to the General Data Protection Regulation (GDPR).
- Employees in telecommunications and manufacturing received the lowest rankings in three out of 12 categories.
- In the Protecting and Disposing of Data Securely category, end users across all industries answered 23% of questions incorrectly.
Purchase the full report here.
End user training needs to be a strategic, well-conceived priority to effectively safeguard company data and systems. The ever-evolving nature of malware and the multitude of entry points for security breaches dictate the deployment of effective training tools like:
- Mandatory security training programs
- Posters and other visual aids
- Meetings and forums
- Instructional emails
Employees can and should be the strongest line of defense against security concerns. Getting them there requires time, planning, and money, but the ROI and overall decrease in stress is well worth the implementation of a comprehensive cybersecurity program.
- Awareness & Mandatory Training
End users must receive the knowledge and attitudes needed to recognize cues in messages, social media, emails, etc. that indicate the presence of malware and other threats. A one-size-fits-all approach won’t cut it; individuals must be differentiated according to their present level of knowledge and level of access. Users with more knowledge and more access will require more advanced training than inexperienced users.
- Clear Procedures
Cybersecurity policy and procedures need to be documented, easily accessible, and reviewed with all incoming employees. These should include what to look for, what to do if an error is made, and the proper channels to go through should a breach occur. The goal is not to intimidate but rather empower employees to cover their bases.
A critical element of security policy involves personal device use. There should be absolutely no arbitrary rules about private device use, and best practice is to restrict staff access. The likelihood of joining insecure networks especially increases dramatically when users access restricted data from personal mobile phones.
Comprehensive investigations of users should be conducted when a breach does occur. Again, the goal is not to intimidate, but to learn from mistakes and apply lessons on a larger scale to safeguard against future security events.
- Open Communication
Employees should not only know what’s prohibited but why. By engaging staff on a personal level and keeping lines of communication about security open, businesses can create a culture of security that is inclusive and more apt to avoid breaches in the first place.
- Get Partners Involved
Since cyber attacks like phishing and social engineering oftentimes involve a third-party guise, getting partners onboard is an excellent way to bolster a cybersecurity training program. Malicious parties can use partner information to communicate with team members and eventually access/destroy data and interrupt system functionality, so making partners aware of procedures will protect both sides.
- Measure Efficiency
Periodically check on the efficiency of the end user training program. Did the employees absorb knowledge and translate it in real time? What are the strengths and weaknesses of the program? Surveys (as displayed by Wombat) are powerful methods to gain insight into where the business stands from a security standpoint.
One of the best tools to measure corporate security efficiency is what’s called self-phishing or simulated cyberattacks. These will quickly expose weaknesses in both individuals and procedures.
The Bottom Line– All the firewalls and patches in the world cannot protect from employee misuse, and end users are historically known as the weakest link in cybersecurity, the chink in the armor. Give employees an arsenal of knowledge and nuanced training to minimize risks. By creating a culture of positive cybersecurity, end users will gain the savvy and confidence to safeguard the lifeblood of business: themselves and the data.
To learn more about Revival Technology, LLC, visit our website at www.RevivalTechnology.com to find out how we can help your business, the most common services performed, and our process.