Historically, most security leaders have felt that a well designed end-user education and awareness program is one of the most cost-effective solutions to improve the overall security posture of a company. But with threats changing constantly and technologies like real-time prompts to check and train users on how to identify data correctly maturing, do we still need security awareness training?
On one hand, it is true that a clever phishing attack can compromise most users, and it only takes one user for an attacker to be able to get inside a company. Nevertheless, if you can create a culture of security awareness so that fewer users can be tricked — and those that are not tricked know how to report an attack so it can be quickly detected and remediated — you are, in effect, turning users into phishing detectors on your security team.
What's more, a well-designed security awareness program can protect sensitive information and keep users from performing inappropriate or insecure actions. This requires users that are trained and understand company policy on the handling, sharing, and storage of sensitive information and the devices that contain the information. Typical policies state that sensitive information should not be communicated, unless encrypted, through insecure mechanisms like e-mail and cloud storage solutions. These policies may also say that only authorized users should have access to certain sensitive information. Again, users need to be trained in the proper way to ensure that they share with only those that are properly authorized.
With the significant growth in global competitiveness, some organizations seek to increase their capabilities and profits by stealing proprietary information from market leaders. Increasingly, they may leverage the greed of insiders to steal information or appropriate the information directly with cyberattack methods, or both. Regardless of the method, the goal of stealing information for competitive gains is the same.
An effective security awareness program should convince users that the financial health of their company — and, therefore, their jobs — are at risk if sensitive information is lost. It is to their benefit to learn the red flags associated with rogue insiders and the methods cyberattackers use to attack a company. With this knowledge, users are not as likely to be tricked and more likely to report nefarious activities.
What are the essential components of an effective security awareness program?
The first step is senior leadership engagement. This can take the form of videos, voice messages, e-mail messages, and other communiqués from leadership on the importance of security to the future and well-being of the company. Employees are likely to listen and respond when the leadership speaks. But if leadership is quiet, employees may not take the communications efforts of the security team seriously. A good example of engaging senior leadership is a recognition program where the leadership participates in the awards ceremony.
Next, make mandatory computer-based training for all users with an orientation program for new employees. This can be part of a thorough program that highlights the key policies of the company. Some companies require such training before access to systems are granted. Company bulletins can be useful to inform users on issues and improper activities, such as ethics violations, by employees. These can be very effective since most employees want to understand activities that could result in disciplinary actions, including terminations.
"Internal phishing" in the form of phishing your own users, where legal, can be an effective way of training employees on how to detect phish and not be tricked. Immediate feedback provides excellent training, especially if the training shows users how they could have spotted the phish on their own. Some organizations have built internal solutions to phish their users and others have leveraged external providers. Either approach can be effective in turning users into phishing detectors. But it is important to inform them of the program so they understand why the company is undertaking this activity.
Perhaps most important is the integration of data protection technology that monitors, prevents, and alerts users in real-time on incorrect actions. This can be very powerful and truly change the behavior of users. I personally know of situations where high violation rates (>60%) are reduced to single digits by providing immediate feedback and instructions to users whenever they perform certain inappropriate actions. The best approaches are user-aware, driving accountability down to the individual person, as well as groups of users like contractors, partners, and outsourcers.
Even more importantly, perhaps, is that they are context-aware, so that specific behaviors that are high risk to the organization can be prevented before costly and damaging data loss incidents. This is a fine point that is lost on many IT and security teams, yet it is absolutely the key to ensuring that sensitive data is not compromised while business processes continue effectively. Context may mean something as simple as one sensitive file moving from order processing to shipping to business units in two different continents — potentially suspicious activity until it is determined that communications have taken place between employees with no compliance violation. But the same activity in another context could mean something quite different; perhaps one employee used Dropbox through a Chrome browser. This is not secure and is a clear violation, so here the user is prompted and the activity is blocked.
Creating an education culture across your organization and integrating the technology to enable secure processes is a critical step in minimizing attack risk.
Larry Brock is the former CISO of DuPont. He has since launched his own venture consulting on information security and intellectual property protection from insider and advanced cyber threats.