When talking about security breaches what often comes to mind are the nefarious external attack groups. However, the biggest threats to information security could come within the four walls of the organisation and more often than not it’s the non-malicious, unsuspecting employee.
Security is not just about the latest technologies. It is also about the people using them.
The reality is, despite heavy investments your organisations may have made into IT security solutions, none of these systems are completely full-proof. That’s why, more than the latest products and solutions, it is also crucial that organisations invest in the people using these technologies.
Ensuring that the people aspect of the security equation is strong requires that all members of your organisation have the right understanding of security. This is where security awareness programmes play a big role.
The ‘people’ problem
In November last year, the Ponemon Institute released the results of a study that surveyed 601 cybersecurity professionals, and discovered that 66 percent of respondents identified their company’s staff as the weakest link when it comes to IT security.
Negligent staff or simply employees that are unaware of basic IT security best practices can create countless opportunities for hackers to compromise your company’s systems.
According to a separate study conducted by Cisco and GBM, risks caused by poor employee security behaviour are the result of complacency and ignorance than malice. “Organisations today tend to insulate their employees from the scale of daily threats that people just expect the company’s security settings or teams take care of everything for them,” explains Scott Manson, cybersecurity leader, Middle East and Turkey, Cisco.
Citing the study, Manson says that the report revealed that 66 percent of the employees surveyed believed their company has an IT security policy in place. However, 14 percent are not aware of it.
The role that insiders play in the vulnerability of all sizes of corporations is huge and increasing. Often, they unsuspectingly perform tasks that they deem won’t cause any damage.
“Organisations today tend to insulate their employees from the scale of daily threats that people just expect the company’s security settings or teams take care of everything for them.”
– Scott Manson, Cisco.
“Referring specifically to non-malicious users, the most common mistake they often make involves infecting the company’s network with malware by visiting malicious websites,” explains Ned Baltagi, managing director, Middle East and Africa, SANS Institute. “In addition, many employees connect their personal devices to the company network and work systems, and download applications without taking precautions or consulting their IT teams.”
Another major security blunder that employees are guilty of is using weak or misusing passwords. But perhaps, the biggest security issue, involving users today, is falling victim to phishing and social engineering attacks.
“Phishing attacks affect everyone across all demographics, social backgrounds, professional stature and income groups,” says Anna Collard, founder and CEO, Popcorn Training. “The fact that we are humans and respond to emotional triggers make us vulnerable to social engineering schemes that use psychological tricks to suppress our critical thinking. The schemes have also become more elaborate and could involve multiple messages, phone calls and social media requests.”
For these reasons and more, organisations need to make it a priority to educate their staff by implementing a comprehensive user awareness programme.
“Since we are dealing with behavioural change, awareness programmes should be run like any other corporate change management project rather than an IT-driven initiative.”
– Anna Collard, Popcorn Training
Addressing the threat
According to a study by IBM, 95 percent of all security incidents involve human error. The goal of a security awareness programme is to increase organisational understanding and practical implementation of security best practices.
“A solid security awareness programme must include comprehensive instructor-led training done periodically,” says Amir Kolahzadeh, CEO, ITSEC. “It should be succeeded by constant reminders through print and digital forms. It is also ideal to integrate user awareness schemes in the training and orientation programmes for new employees. Cybersecurity awareness is an ongoing process and every company should have regular sessions planned out.”
Training each and every employee to understand that they too are liable on an individual level is of critical importance, says Manson from Cisco.
“Cyber-attackers have identified people as the weakest link and will continue to target them,” he says. “Looking at it from a different perspective, people are an organisation’s most important security defence. Therefore, it is optimal to invest in them to enable them to become more resilient against attackers and be competitive in the digital age.”
The programme should change user behaviour and encourage them to become more cautious and alert as well as make them aware of cybercrime techniques so they can avoid falling for them, explains Collard from Popcorn Training.
“Since we are dealing with behavioural change, awareness programmes should be run like any other corporate change management project rather than an IT-driven initiative,” she says. “They need both actual training content, as well as supporting marketing communication material to reiterate messages across multiple mediums.”
Baltagi from SANS Institute concurs, adding that one of the best ways to make sure company employees will not make costly errors is to institute company-wide security-awareness campaign. “This includes, but not limited to, classroom style training sessions, online modular training and security awareness website(s) among others. These methods can help ensure employees have a strong understanding of company security policies, procedures and best practices.”
Identifying the topics that will have the greatest impact within the organisation is critical in planning an awareness programme.
According to Baltagi, a sound security awareness training programme should consist of a combination of existing organisational policies and procedures. “It should include topics such as physical security, password security, phishing, hoaxes, malware and copyright with regards to file sharing among others,” he says. “These subjects will help give your employees and idea how security affects them, how to prevent incidents from happening and what to do in the wake of a breach.”
In addition, Kolahzadeh from ITSEC says, currently, there is still no industry standard best practices enforced by a governing body. “We believe awareness training must be categorised into four groups C-Levels, managers, users and IT personnel,” he explains. “The topics should be tailored in accordance with these categories.”
Measuring the effectiveness of a user awareness programme is just as important as planning and executing it. “The onus, of course, will fall on IT teams or on the external training providers,” explains Baltagi.
“Effectiveness of such programmes can be determined as a by-product of penetration testing,” he says. “While uncovering the vulnerabilities of the organisations, the Pen Test can help determine whether the employees have been putting their learnings into practice.”
Kolahzadeh agrees, saying simulation-based techniques are the most effective metrics of a programme’s success. “Proprietary tools can be deployed pre-, during and post-cybersecurity awareness campaigns to fully analyse if the campaign’s key performance indicators have been met. For example, one of our basic tools is a fake phishing campaign designed for a particular organisation where we can monitor, analyse and drill down to the person and IP addressed that clicked on the emails.”
As with any security scheme, user awareness training demands the investment of time and resources. Therefore, companies should also plan whether they want to carry out their programmes in-house or hire a third-party organisation.
“Running awareness campaigns in-house has the advantage of making content really relevant and aligned to the company’s culture,” says Collard.
However, she explains that it takes a lot of effort to successfully create and run a security awareness campaign and requires input from both security professionals and creative communication staff. “This is why, for some, it makes sense to purchase content from companies whose sole purpose it is to create security awareness material that can be modified or adjusted to meet the needs of their respective organisation,” she adds.
Sharing the same notion, Baltagi says that in-house training are more budget friendly, which makes them easier to carry out regularly. While external training providers specialise in delivering awareness training and implements are usually more comprehensive. “In short, the best security awareness programme should feature a mix of both in-house and third-party training to leverage the unique benefits of each. These teams must also work in close collaboration to ensure a comprehensive campaign,” he says.
Security training is a critical component in a company’s security strategy and is an ongoing process that needs to be modified as an organisation grows. It is also important to understand that while people are considered by many IT security pundits as the ‘weakest link’ they are still a company’s biggest asset. Therefore, investing in the expansion of their knowledge and skills in information security is an fundamental in strengthening a firm’s security posture.