HUMANS ARE THE WEAKEST LINK IN INFORMATION SECURITY. This simple and overly stated fact possibly will sound like a buzzword, but a quick glimpse at incident records, such as the famous Target case, or the more recent WannaCry massive attack, will show that even with the best technology in place, if the human factor is not taken good care of, the levels of exposition to threats, and subsequent impact, is way higher than what most would call acceptable.

That is where security awareness training plays a major role. Fortifying the weakest link may be done in two ways: Conditioning and awareness. While both deal with behavior modification, in most cases conditioning can be seen as an easier approach, and most companies will be happy with it, since it does not require understanding on the part of the user, other than being rewarded for blindly following a set of specific rules or punished for not doing so.

Awareness on the other hand requires having knowledge, being conscious of why the rules exist, and following them not only based on a punishment/reward system. Instead, your users will understand why information security is a vital aspect of your business, what are the consequences of incidents, and what is expected of them. It is important to understand that at the end of the day, the main goal of security awareness is to provide a greater level of protection by ensuring employees are well aware of internal policies, understand basic security controls and know how to report security incidents.

The benefits of information security awareness

So, why do organizations need security awareness training? To put it simply, both conditioning and awareness might take some time and a good deal of effort to effectively become a part of your company’s corporate culture DNA, but the benefits, both short and long term, can be excellent improvement opportunities, such as:

  • Embracing your information security efforts: In order to be really effective, information security must be a corporate wide effort embraced over all hierarchical levels. Changing your corporate culture to adhere to the new security focus will be a much simpler task if people can understand and relate to the new controls and expected behavior. For instance, while it may be frustrating to try changing your password and receiving a message stating it does not comply with complexity requirements, your users might be convinced by understanding that using ‘123456’ or ‘1q2w3e4r5t’ as a password is a security risk due to brute force or password guessing attacks.
  • Less time to detect security incidents: Having security-aware users does not always mean less incidents, but, since they will know what constitutes a security incident and how to report it, detection times will surely be significantly lower, meaning that a significant number of incidents might be prevented, and even the ones that occur will have a better response, and, consequently, a reduced impact.
  • Uphold compliance efforts: If your company falls under legislation such as Sarbanes-Oxley 404 or is interested in achieving a security standard similar to ISO 27001, an awareness program is essential. Your focus should be ensuring that users are aware of security policies, norms, risk, threats and expected behavior, but awareness training will also provide extensive evidence of compliance efforts and the commitment of the upper management to information security.

Information security awareness might be required by law

Aside from the obvious benefits, in some cases not having awareness training in place is not an option, as several laws and regulations simple require formal information security awareness program, for example:

  • Federal Information Security Management Act (FISMA): FISMA, 4 U.S.C. § 3544, requires “security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency”, including making sure users understand information security risks associated with their activities, their responsibilities in complying with agency policies, and procedures designed to reduce these risks.
  • Health Insurance Portability and Accountability Act: Amongst its training requirements, HIPAA Security Rule 45 CFR § 164.308(a)(5) defines as a standard to “[i]mplement a security awareness and training program for all members of its workforce (including management)”, meaning that each new workforce member must receive security awareness training within a reasonable period of time after hiring, including periodic security updates, protection from malicious software, and password management.
  • Gramm–Leach–Bliley Act: also known as the Financial Services Modernization Act of 1999, the GLBA safeguard rule includes three areas that are particularly key to information security: Employee Management and Training; Information Systems; and Detecting and Managing System Failures. Companies must make employees aware of the necessary steps to maintain the security, confidentiality, and integrity of customer information, including basic physical security of records, password protection, encryption and reporting suspicious activities.
  • State regulations: There are already state law regulations such as Massachusetts’ 201 CMR 17.00 standards for the protection of personal information of residents of the Commonwealth. It requires ongoing employee (including temporary and contract employee) training for compliance with compliance with policies and procedures and the proper use of the computer security system and the importance of personal information security. Another example is Nevada Personal Information Data Privacy Encryption Law NRS 603A, as one of the earliest state laws on the subject, since January 2010, the Nevada data security law mandates encryption for customers’ stored and transported personal information.
  • Payment Card Industry Data Security Standard (PCI-DSS): Not really a law, but a proprietary information security standard for organizations that handle branded credit cards from the major card schemes, The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. Control 12.6 requires the implementation of a formal security awareness program to educate all employees about the importance of cardholder data security.

Controlling threats with security awareness

Some security incidents cannot be prevented or detected by technology. A simple example is social engineering. The art of manipulating people does not require the use of technology and may be applied over a telephone call to steal information (e.g. confidential data, passwords) or even on site to gain physical access to restricted areas. Unfortunately there are little to zero technical controls that can be used to avoid this sort of attack, so the only feasible option is to have your users aware of the threats and how to deal with them. 

Another example of an information security threat that cannot be dealt with technical controls is spoken information. Many times your users might discuss company information, even sensitive data, in places where they can be overheard by an unauthorized third party. This may happen inside the company physical perimeter, but also in public places. Again, the only way to prevent this is having your users being aware that discussing restricted information in an unsecure place can have severe consequences to the company.

It is important to understand that security awareness is essential to reinforce any security related topic with your workforce. Not just operational users, but also executives are a juicy target for cybercriminals that will take any chance to steal your data, blackmail your company, or any other approach that might make a profit. Topics such as social engineering (with or without the use of technology), phishing/spear phishing, acceptable use of information, secure data disposal techniques, incident reporting, data encryption, password management, and data protection (both physical and digital formats) are essential topics on any awareness program, which will help you prevent major incidents.

Should my company invest in security awareness training?

 As of 2016, the IBM’s study of the cost of data breach[1] for the USA identified an average of a 7% increase in total cost of data breach. Some companies that are affected by severe security incidents not only lose customers’ trust, but might end up losing the entire business after a major a data breach.

Awareness training has been pointed as one of the major factors that decreased the cost of data breach. It is really a simple question of numbers: The average leak incident involves around 29,611 records, each representing a cost of $221.00 per record. This means an expected loss of $6,544,031.00 during an incident. With a fraction of that amount, any company can create a state of the art awareness training program.

Security Awareness

Concluding thoughts

The human factor is directly involved in most data breaches or any other form of security incident. From simple, unintentional mistakes of poorly trained employees to insiders that are willing to steal company information, the best approach to security is having a well-trained and aware workforce.

Assuming you are just starting your awareness program, it is important to keep in mind that real change takes time, but with the proper effort, awareness training might just be the stepping stone for a new culture, one that not only uses information security, but also embraces it as a corporate practice.

[1]                2016 Cost of Data Breach Study: United States / IBM

Be Safe

Section Guide

Claudio
Dodt

View more articles from Claudio

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Claudio
Dodt

View more articles from Claudio