Why it’s Time for a More Personalised Approach to End-User Security Training
When history comes to be written about the current decade by technologists, the past few months will be marked as a turning point. the way organizations work will not be the same again.
Over six months now into the pandemic, organisations have become more exposed than ever to the due directly to a more remote workforce, clearly increasing the cyber risks for large, medium and small businesses. Attackers are exploiting insiders, musing lateral movement, increasing phishing, weak home routers, and insecure SaaS and cloud.
Technology can’t fix it all. That is why user awareness training is increasingly important. October is Cybersecurity Awareness Month and the perfect time to examine how employees are behaving in this new remote work environment. Yes, we’ve heard a lot about security education but this is different now: hear me out.
Bending the rules
Trend Micro just recently polled 13,200 remote workers in 27 countries to better understand their attitudes to security policies under lockdown. If you have a face shield, wear it now to avoid injury face-palming yourself when reading these statistics. Here in Canada, cybersecurity is top of mind amongst staff, but given the remote working circumstances, some are choosing to avoid it or test the limits:
- One-in-five give unsupervised access of their work laptop to others
- One-in-four have worked on sensitive documents in view of members of the public
- Nearly half (49%) use non-work devices to access corporate data
- Nearly three-quarters (73%) have connected their work laptop to the home network, where it shares a connection with potentially insecure personal devices
It’s easy to understand this behaviour change: , this changed environment is directly due to the pandemic and already stretched IT departments getting stretched more. Something has to give. There are shortcuts to teleworking at home, such as using a home device to conduct work activities, that unfortunately, increase security risk for the employer.
Security leaders have to continually demonstrate to businesses how productivity and protection are not mutually exclusive. Employees can do their jobs just as effectively by following policies, accepting security controls and using pre-approved apps and devices. Yet especially under lockdown, the shift to productivity at all costs has threatened to disrupt this delicate balance.
It comes as cyber-criminals look to capitalise on distracted home workers, unprotected endpoints, overwhelmed VPNs, and distributed security teams who may be forced to focus on more pressing operational IT tasks. As a datapoint, Trend Micro blocked 8.8 Million COVID-19 Threats in the first half of 2020. It takes just one to get through and convince a remote worker to click, and the organization may be confronted with the prospect of a debilitating ransomware outage, BEC-related financial loss, or damaging data breach.
Big hammers don’t work, It has to be a nuanced approach
With complex and agile attackers, so to our security has to be necessarily multidimensional in order to be effective. All security can’t just be in one layer, whther it be endpoint or gateway. Best practice cybersecurity requires a combination of people, process and technology. Yes, it includes people.
However, the people part has historically been neglected, which is one of the reasons why phishing attacks are today the most popular cybercrime threat vector. Training programs are too often one-way, one-off affairs which may raise awareness for a short period of time but do little to actually change behaviours in the long-term. Over 95% of attacks have an email vector involved.
So what can CISOs do to empower their colleagues to implement safe practices at home, or remotely? Those who are fearful may react well to real-world simulation exercises which allow them to try and experience things that they wouldn’t normally. For those who are more ignorant to potential security risks, gamification techniques can offer them an experience to reference.
Colleagues may also benefit from being mentored by security champions within the organization.
The most important thing to bear in mind with user training is to keep lessons short and regular, and act on the feedback you receive to continuously improve courses. These should never be a chore for employees. With a more considered, personalised approach, CISOs can change user behaviours and build both an effective first line of threat defence and a security-aware corporate culture. Take a tone of helpful education, and under no circumstances ever create a culture where an employee fears reporting when they may have compromised something. Just check Twitter and every security leader worth anything will admit they have clicked on a suspicious link when tired, stressed, jetlagged, busy, or just distracted, Mea culpa, and I reported it immediately without fear of repercussion or shaming. Culture is King and Queen in security.
Ultimately, no two organisations are the same. CISOs will need to approach this task according to their risk appetite and the type of work remote staff undertake. But tackling education a little differently now is a great first step, and making cultural changes especially when workers are maybe feeling a little disconnected. Don’t let them disconnect from being part of better security.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…