These days, you can do a lot of things with a click of a button: send an emoji, record your favorite TV show, order paper towels from an online retailer that ships to you within two business days. But it can also take just one click — say, opening a compromised email or URL — to breach a company’s entire network.
IT departments can combat end-user security risks by implementing malware protection, threat detection, network security tools and more. But perhaps it’s more important to address the human element — educate employees on threats and how to avoid them through end-user security awareness training.
“The key is to continually keep security on the top of users’ minds,” said Kevin Beaver, an independent security consultant at Principle Logic. “It’s all about working together with management, especially HR, to ensure that common-sense security basics … become part of the organizational culture. To simply assume that users will always make good choices is to assume that your security program has no flaws.”
Why you need end-user security awareness training
End users have always been a weak point in enterprise security. Now, hackers are more sophisticated in their attacks, from increased use of email attachments to targeting more vulnerable users. Mobile devices add another attractive surface for attackers to exploit, as people use their phones constantly and are easy targets via text or even social media.
End users are especially vulnerable to security attacks because they access basic resources such as email and websites that hackers can easily compromise. But employees have two big perception issues: They think they know enough about the internet to not fall prey to these attacks, and that the cyberattacks they see in the news couldn’t possibly happen to them, said Michael Cobb, a security consultant based in the U.K.
Often, both of those beliefs are inaccurate.
Michael Cobbsecurity consultant
Anyone can be susceptible to phishing, where an attacker tricks the user into clicking on a bad link or attachment that launches malware or attempts to access a company’s network to obtain sensitive data. Spoofing methods are more advanced to more easily convince users that an email is from a trusted source, for example. Less than half of U.S. users know what ransomware is, and only 16% know about SMS-based phishing, according to Wombat Security’s State of the Phish 2018 report.
Plus, modern day threats constantly change and evolve, so it’s critical for IT to keep on top of risks that users might not immediately perceive.
“It needs to be an ongoing exercise because the threat vectors are developing and changing so quickly,” Cobb said. “People really need a refresher to keep them up to date.”
And you don’t have to be Target to be at risk. Attackers may seek out small organizations or ones with seemingly little sensitive data because they want to access that organization’s clients’, customers’ or contractors’ networks through a back door.
“It’s important to assess and review all your partners and make sure they have at least similar security mechanisms as you,” said Liviu Arsene, a senior e-threat analyst at Bitdefender, a cybersecurity software provider based in Romania. “Give them the same training you would give an employee.”
Types of security awareness training
End-user security awareness training educates users on the most current cybersecurity dangers, how to access corporate resources in a secure way and what IT policies are in place to prevent security breaches. Great Expressions Dental Centers, based in Southfield, Mich., uses an in-house training application and meetings to train its users, who are spread across about 277 office locations.
“We want to educate our user base so they’re aware of what’s out there and hopefully not fall victim,” said Kevin Schokora, director of IT operations at Great Expressions.
Some organizations offer training via applications such as KnowBe4, Phishing User Training and Ninjio. These tools often include videos or visual learning methods. With these types of tools, IT can track who completes the training and administer tests to confirm that employees absorbed the material. Others present seminars by consultants or in-house staff such as HR or even compliance or legal officers.
It’s often best that IT itself not perform the training sessions, because users may chafe at a message conveyed by IT staff that they are doing something wrong and “need to knock it off,” Beaver said.
“Unless you’re a master in communication and understand what it takes to truly inspire people so that they can be educated over the long term, I think these efforts are best left up to someone else,” he said.
Informal trainings, such as a lunchtime meeting, are a good way to get users comfortable and engaged, Cobb said.
“You provide the sandwiches, and people don’t feel it takes out of their working day,” he said. “Encourage people to share any experiences they’ve had. People can relate to, ‘Gosh, yeah I often do that at home and maybe I shouldn’t.’ If they can see that it can make their home computing and network more secure, they tend to get very much more engaged.”
A little gamification can help, too. With online training, challenge each department to finish its training first, or see who can get the highest score, and employees are more likely to get involved.
Organizations can also supplement end-user security awareness training with regular newsletter updates or other forms of communication directly from IT.
Great Expressions includes IT security updates in the company’s monthly newsletter. The key is to involve HR and marketing staff to make the material enticing for readers, Schokora said.
“Making it fun and making it interesting, making them want to read it, gives it value,” he said. “It seems to be resonating. And if we are alerted to anything that is critical — let’s say WannaCry — that would result in direct communication … to notify the population of this threat.”
To ensure that users pay attention to their security training, organizations can even write it into their job descriptions and include training scores in their employee evaluations, Cobb said.
Major risks to address
Hackers and malware present the biggest threats to end users, so end-user security awareness training typically seeks to address attacks that deceive users, such as phishing or other social engineering tactics.
“The messaging needs to be around using common sense — stop opening attachments, stop clicking on links, start using better passwords, and the like,” Beaver said. “I’m a firm believer that IT and security team members need to set their users up for success by actually enforcing the policies they are pushing.”
Those threats will only grow and become more common in platforms beyond just email, said Dane Young, strategic business advisor at Entisys360, an IT consultancy based in Concord, Calif. Communications on Twitter, LinkedIn, instant messaging or Slack, for example, could all be susceptible.
“No communication medium is invincible [enough] that hackers couldn’t jump into that medium that people assume is trusted,” Young said. “People impersonate other people all the time.”
Training on data handling and IT’s own policies is also critical to ensure that employees access the right corporate resources in the right way. A simple step is to drive home the need for users to frequently change their passwords according to IT’s set rules, Cobb said.
Most recently, the implementation of the European Union’s General Data Protection Regulation (GDPR) in May has sparked more organizations’ interest in stronger end-user security awareness training, he said.
“I’m getting more in-depth questions from people,” Cobb added. “GDPR has put data handling as a top priority across the board.”
Compliance training is critical for Great Expressions’ dental offices, because employees handle patients’ personal and health information. The compliance team works with IT to ensure that guidelines on remaining compliant with the Health Insurance Portability and Accountability Act are part of end-user security awareness training, Schokora said.
“One of the best ways to facilitate enterprise security is to have great relationships with legal and compliance, and combine that with security to arm your employees so that they’re set up for success,” Schokora said. “You can have the best software in the world, but without having that enterprise commitment, you’re increasing your risk of failure.”