How can a company best protect itself? Most organizations will have invested heavily in a broad array of security technologies. However, when a security breach happens it’s most often down to basic human error. That is why hackers spend their time devising new ways to trick employees into giving away even the tiniest nugget of information that could get them access to the organizations infrastructure (it’s called phishing for a reason).
What might appear at face value to be a fairly insignificant piece of information, to a hacker could be the keys to the network and Christmas come early. The findings from the abundance of firms implementing social engineering tests to see what data employees will give away is proof that employees don’t understand the contribution they make to ‘protecting the realm.’
Reports of hacks are becoming so commonplace that in many ways it is hard to know if their impact and probable causes, for example poor password management, are really resonating with employees. Despite many people receiving notifications from the likes of Tesco, eBay, Kickstarter et al urging them to strengthen their passwords in the face of recent attacks, still if you walk around a typical enterprise, people will have a yellow post it note stuck somewhere on their desk with their log on details to what should be a secure network.
It’s not hard to see in scenarios such as these why people are considered to be the weakest link. Yet if this is the case, why is so little time spent proactively training them in IT security? All too often than not it is done once and, box ticked, forgotten about but such an approach does little to guarantee a company’s security given how rapidly hackers evolve their methods of attack. To ensure that employee knowledge is current and relevant, training should be at least twice a year. Whilst that is obviously a big outlay both in terms of time, resource and money, when we’re staring at a global economic bill that mounts to hundreds of billions, surely it is an investment worth making?
Bringing home the real risk and associated implications is key to a successful IT security training programme. You don't want to scare people witless, but there is a real need to give them a reality check, especially as mobility increasingly changes the face of the enterprise and less devices are tied directly to the network. This network without boundaries makes security training vital regardless of whether you are the CEO or ‘on the shop floor.’
Hackers don’t discriminate, so neither should you. That doesn’t mean that training should be en masse as it also needs to be relevant, otherwise people will tune out. It is simply human nature. Just as important as relevancy is ensuring that training is appropriate at that point in time.
All too often training is a reactive process and happens once an incident has already happened, which is too late. Enterprises need to take the time to understand the threats to their market place, where vulnerabilities lie (e.g. is it more likely that a company will lose data via a lost device or a online database hack?) and how employees could potentially compromise their security in different situations. In short, IT security training needs to be built from the ground up around your business and your business model. Generic ‘don’t do this and don’t do that’ that doesn’t take into place both the external and internal factors that impact your company won’t yield results or create a more secure environment.