If Humans Are Your Weakest Security Link, Train Your Humans

Even with advanced technologies available to hackers, what technique do they use most often to gain access to sensitive data or spread malware? Phishing attacks. Hackers know it’s much easier to trick a human with a deceptive email than it is to trick or circumvent security software. Instead of trying to pick a lock, they would rather convince a person on the other side of the door to unlock it and let them in.

While security software can and should be used to prevent phishing attacks, effective security begins with increased awareness among those who are being targeted. Security awareness training can help users recognize phishing attacks, avoid clicking malicious links and attachments, and report incidents to avoid repeat occurrences. However, training isn’t just about understanding specific threats.

Security is about people, processes and technology. All must be aligned for security to be effective. People are often the weakest link but can be your strongest asset if your organization builds a cybersecurity culture. When you have a cybersecurity culture, security policies are viewed as rules, not guidelines or recommendations. Risk reduction is perceived as a shared responsibility, not someone else’s problem. Identifying and reporting security threats is an important job function, not a nuisance.

The SANS Institute’s Security Awareness Maturity Model has five stages:

  • Non-Existent: There is no cybersecurity program.
  • Compliance-Focused: The program is designed to meet minimum compliance requirements and includes limited training.
  • Promoting Awareness and Behavior Change. The program offers ongoing, engaging training that promotes behavioral change.
  • Long-Term Sustainment and Culture Change. The program has the leadership support, resources and processes required to succeed.
  • Robust Metrics Framework. The program has metrics to demonstrate change and proficiency, indicating a full maturity.

According to the 2019 SANS Security Awareness Report, organizations are slowly headed in the right direction in terms of maturity. Over the past three years, there has been a steady decrease in the two least mature stages. Non-existent programs have dropped from 7.6 percent to 4.36 percent and compliance-focused programs have dropped from 27.1 percent to 21.1 percent. At the same time, the two most mature stages are up 5 percent each.

Security awareness training programs have an obvious budgetary and operational impact. These programs cost money and can eat into work time, so a lack of support due to these factors is a common problem. Other issues include a general lack of understanding about the importance of training, a lack of consistent, ongoing training, and a lack of real-world testing to verify employees are retaining training lessons. However, the most critical success factor is leadership support. Aside from obvious support from the information security and IT folks, senior leadership is the biggest supporter of security awareness training programs.

As part of the SSD Assurance program, we offer an annual employee training session that focuses on phishing, as well as the KnowBe4 program for organizations that want more consistent, ongoing training. In addition to providing organizations with access to the world’s largest library of security awareness training, KnowBe4 uses fully automated, simulated phishing attacks to test employee knowledge. Let us help you reduce risk by turning your workforce from weakest link into a powerful layer of defense against cyberattacks.