A User Risk Report released by Wombat Security earlier this year revealed that many workers are not only unfamiliar with security threats and how to combat them, but are prone to making bad security choices and practicing dangerous habits that can put confidential information at risk.
Here are some key findings from that report:
As a result, it's not surprising that the report states half of US respondents reported being victims of identity theft and nearly half of them have been compromised by phishing attacks.
The report concluded by advocating employee education programs in order to create a culture of cybersecurity. However, keeping users informed about the current threat landscape isn't the difficult part of establishing appropriate cybersecurity. That award goes to keeping them focused on their behavior so they can understand how to make the right choices.
As a system administrator I'm a big proponent of automation wherever possible and this includes patching/securing systems and devices. Proper automation can apply updates and restart systems automatically without establishing a reliance on the end users, run in the background in the form of anti-spam filters and antimalware software, or enforce policies intended to protect devices such as by mandating passwords or utilizing encryption.
Kurt Wescoe, Wombat Security's chief architect, said that authentication, authorization and centralized control should be the foundation of every company's security plan. Leveraging a single sign-on service (internal or from an external SaaS provider like Google, Ping or Okta) can yield additional benefits so as to more easily control and audit application access to applications, reduce user passwords and work with password policies/multi-factor authentication.
However, automation can't do everything which is why establishing the appropriate user mindset is critical. Awareness has to go hand in hand with education in order to ensure your users can protect themselves, which will help your information security team to assist them in becoming more proactive instead of reactive.
Here are six ways you can help improve your users' security awareness:
Wescoe pointed out that comprehensive end user training can educate users about threats and how to handle them, but doesn't change the fact people are human beings who make mistakes or behave in imperfect manners, and therefore striving for a 100% successful security strategy is unrealistic.
Establish routine education/training sessions for new users and existing users, at least as often as systems are patched, and on a case-by-case basis (e.g. when a user asks for help in how to handle a suspicious email) to help illustrate proper security practices.
Set up clear goals for the training and don't throw everything including the kitchen sink at users all at once. Make the training as focused and specific as possible and ensure it's appropriately tailored to your environment and uses subjective examples (such as how the compromise of your password could give an attacker access to certain systems in the company).
"We've found the most successful companies assess users to identify their areas of weakness, target those with education and reinforcement exercises, and then reassess to evaluate the impact of their efforts," said Wescoe.
Those who work in the security realm may be susceptible to overestimating the awareness of the general public towards security risks and appropriate behaviors. This could be giving security professionals false confidence and may be the reason why just fewer than half of organizations have a security awareness training program for their employees, said Amy Baker, Wombat's VP of marketing.
Policies set a framework of expectations for appropriate user behavior and how to address security concerns. If you haven't already, consider implementing policies on the following (or other) topics:
Distribute the policies for users and have them sign off on these to confirm they have read them and understand the contents.
Arrange to send out weekly contextual security tips via email to help users operate company-owned devices and software more effectively.
In addition to informing users of security-related topics or events, utilize central logging of all activities, including malware infestations, the use of unauthorized devices, access privileges and commands utilized on systems then follow up as needed. For instance, ask users why a certain file they downloaded provoked a virus warning, why they logged into a system they don't need to use as part of their job duties or what they installed such-and-such application for if the conditions seem sketchy.
Explain the reasoning behind the security methods, controls and operations your company engages in. For instance, nobody enjoys rebooting their system following the application of updates, so rather than enrage users by restarting their devices at random times, utilize a specific schedule for centrally-controlled reboots (5 a.m. is a good time) and inform them in advance as to what is happening and why, so they can save any open files in advance.
SANS, 24by7 Security and KnowBe4 all offer email newsletters to help users and administrators stay informed. The latter is one of my favorites; KnowBe4's cyberheist newsletter is detailed, informative and fun to read since it often includes links to entertaining articles and videos about an array of topics. Subscribe users to these or forward them to the user community as needed.
Security blogs are also another good resource. You might consider sending links to relevant posts and articles provided on these sites when you send out security tips via email.
Phishing your own employees can test their awareness and know-how and allow you to understand where security weakness may lie.
Conduct other operations such as distributing USB keys to random locations in the organization to see if users insert them into their computers (your logging mechanisms, as mentioned above, should notify you of such actions), placing phone calls purporting to be support personnel and requesting their passwords, or other endeavors intended to test their responses.
It may be argued that these measures are too extreme and could build suspicion or even paranoia among the user community and cause them not to trust the Security department... but the entire goal here is to build a lack of trust.
You might also consider arranging for security quizzes (complete with prizes) to test user awareness and comprehension of potential threats.
I recommend focusing more on positive than negative reinforcement. When users comply with security policies and practices it's better to give them some form of reward rather than punishment for the reverse. The reward can be up to you and their managers, and may constitute material goods, public recognition, time off or some other form of incentive.