Most successful
attacks target end users in one form or another. Typically, attackers lure a
company’s employees into either unknowingly divulging company secrets or
passwords or trick them into clicking links or visiting websites that install
malware on their computers. Worst case scenario, this happens to a user with
domain administrator privileges and your entire network becomes a playground
for the attacker.
Another common
cause of reported breaches is lost or stolen devices that were not physically
secured or properly encrypted. These devices, especially removable media, often
have sensitive data that is unprotected with encryption, and then becomes stolen
or lost. In my experience, when such incidents occur, employees will often
argue that they were not aware of the corporate policy to protect such data or
felt ill-equipped to use the technology made available to them.
An important
component to prevent such situations from happening is to properly educate
company employees. However, most corporate security education and awareness
programs are antiquated, stale, boring, and lack tailored content for specific
roles within the organization. Company employees often run kicking and
screaming when such training is mandated, and executives either request
exemptions because of their busy schedules or force their assistants to
complete the training for them. After sitting through many such training
programs, I really can’t blame them.
Based on my
experience, I believe that a robust and effective security education and
awareness program must contain the following key elements:
1) For all new
employees
• On day one,
all employees are required to complete a short, tailored and position- relevant
security awareness training. Key to this training is that all new employees
walk away understanding how to get security help if needed and know when and
how to report a security incident.
- New employees are provided with
access to online resources such as information security policies and
how-to guides for key security technologies and scenarios, e.g. how do I
send a secure email, how do I handle PII, etc.
2) For Company
Executives
- Companies should develop and deliver
a tailored security education program for executives. The training should
be custom to the individual executive and should be based on the most
likely digital threats to the executive. This type of program should be
coordinated with other physical security programs if such exists, as
online and physical threats to executives are often linked. I recommend
one-on-one training with the executive once per year, as the most
effective mechanism for this audience.
3) For
Traveling Employees
- For companies with employees
traveling overseas, provide specific training based on the countries being
visited. Focus on the key tasks they need to perform while traveling, such
as accessing email and sending documents, and what to do in case of a
suspected breach or an attempted seizure of technology resources. Equally
important is to ensure the employee understands any actions they need to
take when returning from certain, high risk countries.
4) For IT
Employees:
- Provide targeted training to
information technology staff. Ensure developers know how to use secure
coding best practices and secure and handle source code and other
intellectual property. Make sure that all system administrators are well
versed in the dangers of using domain administrator accounts to perform
high risk functions such as browsing the Internet or reading email. Also,
ensure that system administrators are trained on the corporate policy
regarding the safe handling of such accounts.
5) For all
employees:
- Security teams should consider
their end users as one of their most important and valuable detection
sensors and work to maintain the health of these sensors just like their
IDS/IPS devices and endpoint sensors. This means providing end users with
continual training and education, especially related to new threats.
- For existing employees, perform
simulating phishing for a percentage of the user base each month until all
employees have been tested. Provide training for those failing the test,
and rinse and repeat to ensure training effectiveness.
- Finally, gamify your security
awareness training and make it mobile friendly. Keep the content fresh and
engaging for all generations of your workforce. Also, make the training
relevant to both the employee’s work and home life, including being safe
on social media. You know you got it right when your employees ask if they
can include their family and friends in the training!
