By Lawrence Dinga, MSc., CISSP
Cyber Security budgets in many organizations are always high and robust but there is a big concern that too much is being spent on strictly technical safeguards such as legacy security technology, like firewalls and anti-virus measures. In other words, technical measures that can be easily bypassed by focusing on weaknesses in an employee’s knowledge of cyber security best practices. That is why in spite of all these technical controls that are actually designed to prevent security breaches, we still see many security incidents still common in organizations and the major root cause being the result of users’ actions. Changing user behavior represents the critical “last mile” of reducing risks on the prevention side of the security risk equation. The need for security awareness and education therefore becomes increasingly important to any organization in this era of interconnected world.
“Over 95 percent of all [security] incidents investigated recognize ‘human error’ as a contributing factor.” IBM Security Services 2014 Cyber Security Intelligence Index
In the JPMorgan breach (https://en.wikipedia.org/wiki/2014_JPMorgan_Chase_data_breach), investigators revealed that the hackers breached a server using credentials stolen from a bank employee (the server also lacked two-factor authentication). Though the source of the credential theft was not made clear, logins and passwords are a common target of employee-focused phishing scams. In attacks like these, attackers prey upon a lack of employee security awareness to make their work easier. Now more than ever, it’s imperative that security awareness programs are implemented at every tier of an organization, from executive to entry level, to help mitigate potential threats.
Different organizations have different approaches to user security education. Some prefer classroom training while others utilize e-learning platforms for this purpose but for any solution to be highly effective and reduce security risks, it must be able to engage users and change their behavior. The solution should be interactive to allow users learn through engaging teaching methods, realistic examples and interactive practices. In other words, the solution should be based on proven Learning Science Principles to help employees learn how to protect themselves, and their employers, from security risks.
Thoughtful training approach that draws on Learning Science Principles employs a cyclical model of assessment, education, reinforcement, and measurement that help users change behaviors and can reduce malware infections and successful phishing attacks by up to 90%.
Training modules should be short like 10 – 15 minutes as short bursts of training are always more effective. People learn better when they can focus on small pieces of information that the mind can digest easily. Unlike the one-off seminar videos and PowerPoint presentations delivered once a year, effective user training should be delivered continuously throughout the year. More so it is important to present lessons in the same context as the one in which the person is most likely to be attacked.
After evaluating a handful of end user security training solutions, I found that Wombat Security Technologies is the only company to offer a complete suite of security education solutions that leverage progressive training techniques to effectively improve human response against cyber-attacks.
Wombat Security is a Leader in the NEW Gartner Magic Quadrant for Security Awareness Computer-Based Training Vendors.
Access the Magic Quadrant report here: http://info.wombatsecurity.com/wombat-named-a-leader
Access sample training modules here: https://info.wombatsecurity.com/espion-register-training