End User Security Awareness Best Practices: 12 Experts Weigh In

September 16, 2015 by

Infosec Institute

As security awareness continues to become an increasing focal point for the modern enterprise, security experts need to do everything in their power to stay on top of trends, current events and best practices. That's why we took it upon ourselves to speak with some of the smartest folks in security and find out what best practices need be kept in mind regarding end user security awareness.

Jeffrey Bernstein, Managing Director of T&M Protection Resources

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Demo Now

Many organizations lack internal resources, expertise, infrastructure and budgeting to deliver effective awareness training programs to their staff. Achieving absolute security in the enterprise is simply impossible. Improving security usually costs money, capabilities, time, ease of use, civil liberties and more. The most effective compensating control to mitigate various cyber-security threats is security awareness training along with regular testing.

Bill Carey, VP of Marketing for RoboForm

Hold employees accountable. It's crucial to make sure everyone in the company understands how important it is to use effective cyber security practices. Managers and business owners should lead by example, modeling excellent safety habits. It's also a good idea to provide an online security manual and ask employees to sign an acknowledgement form after training to indicate they understand and will abide by company policies.

Mr. Tahir Ali, Global Security Analyst for PureVPN

The most important aspect, I feel, to any security awareness program is to not take things lightly, especially data security. The younger generation needs to address and understand that identity or data theft is not a matter to be shoved aside. Sadly, the users who do care about security are mostly worried about cookies, their browsing history, and how their data is held and saved on a storage device. They do not understand that their data faces the same level of threat during transit, and this is exactly where and when most data snoopers AKA hackers/data thieves/creatures from hell strike. Without a secure medium of transmission, their data is as good as hacked and their security has already been compromised.

Jyothish Varma, Senior Director of Product Management & Strategy at ControlScan

Customization is critical. Security awareness is best approached not from a one-size-fits-all perspective, but from a "people, process and technology" perspective. Your employees are individuals and each employee handles sensitive data in a unique way. Security awareness training materials should be segmented with this in mind, so that individuals and work groups receive training that's specific to their responsibilities and the technologies with which they interact. The course materials should also be customizable from a process standpoint, to directly address your company's security policy requirements.

Nick Espinosa, CIO at BSSi2 LLC

By far the best practice for an IT staff to implement that will help the end users is to remove most of the options for self-administering user security. Too often we see users being able to disable or whitelist items they shouldn't in virus scanners, firewalls and filters. A good security setup is one that seamlessly integrates all of the defenses any network should have such as a virus protection, firewalls, DNS based web filtering and a Unified Threat Management system. By integrating all of these to essentially "work behind the scenes" the users should rarely have an issue using their computers as they see fit and if something is called into question then they have to go to the IT staff who can confirm legitimacy of the application, file or website being accessed.

Todd Inskeep, Advisory Board Member to RSA Conference

End user security awareness is a constant challenge - education is quickly forgotten without practice and reminders. Yet practice and reminders detract from end users trying to get their jobs done. Carnegie Mellon and others have done a lot of research on awareness and the longevity of information, and the most important element is freshness and the "aha" moment of seeing something work or not work. The banks got together around 2007 and set up a process to take down phishing sites and put up a link that said, "You just got phished" and provided some education so users wouldn't get caught again. Some security education teams have taken ideas like this and brought them into the workplace so there's a constant, but very low level of training and awareness.

Karl Weintz, President and CEO, Sonavation

Weakly secured enterprise networks give hackers an easy opportunity to access and intrude upon highly sensitive materials. Default passwords and use of an open wifi network leave many of our mobile and computing devices vulnerable. A top priority of any security professional should be to implement a multifactor authentication solution which places an additional layer of security on accounts. Biometric authentication is the most advanced solution, as it combines something you know (password) with something you are (fingerprint).

Try phishing your friends, family and coworkers with our free phishing simulator. Phish.io lets you send harmless phishing emails, tracks your success and failure on a dashboard, and notifies you with updates. We also train the people you phished to keep them safe from further attacks, all for free!

Click here for Details.

Jeff Schilling, Chief of Operations and Security, Armor

One of the things I don't think most user security awareness programs do well is tie end user training network access to training completion.  For example, if a user does not successfully complete their security awareness training by a specified date, then their network access would be restricted, such that they don't get internet access, or they can't open attachments in emails.  This is what I call "outcome based training."  This holds the user to be accountable or there will be punitive outcomes if they don't do the training on time or they don't pass the course curriculum.  The other outcome-based training idea should be every time a user's computer is cleaned of a virus, they should have completed another round of security training to regain their access.

At the end of the day, users are still falling for spear phishing emails and going to websites that host malware.  Those still continue to be the biggest areas of success threat actors have for gaining that initial foothold inside of corporate environments.

Kurt Roemer, Chief Security Strategist, Citrix 

End-users need to have a level of paranoia that is appropriate to the risks incurred with the compromise of sensitive data under their control.  Security awareness programs need to focus on an understanding of acceptable/unacceptable risks, how to recognize potential threats, how to practice good computing hygiene and how and where to get help when things don't seem right. Additionally, IT teams should host regular seminars, drills and tests to ensure end-users are familiar with the processes and are staying on their toes.

As the front line of computing defense, end-user behavior is critical to the security of any organization. A good rule of thumb is that when a situation doesn't feel right, it probably isn't. If sensitive data would be compromised by further action, employees need to be versed in the appropriate steps to take to protect corporate systems. Employees should keep in mind that security programs are there to assist, but technology cannot save them from all threats.

Jeremiah Grossman, Founder, WhiteHat Security

The indisputable fact is that each individual employee is the best defense against getting hacked and there are simple steps workers can take to secure organization information. In building a security awareness program, IT teams should encourage employees to keep all of their systems – browsers, software, web extensions - up to date. Hackers can easily target a known flaw in outdated browsers and software, but this is something employees can easily prevent by utilizing the latest versions of operating systems, browsers and web extensions. Employees may use several different devices to access corporate information, so be sure to they are updating systems to the latest versions across all devices.

Additionally, employees should use a different hard-to-guess password for each corporate account. You wouldn't have the same keys for your home, office and car, and for the same reason, you shouldn't use the same password for all your online accounts. Pick passwords that are hard to guess, not found in the dictionary and are six or more characters in length. Encourage employees to use numbers and special characters in the passwords as an extra precaution. Even if an attacker does gain access to a corporate system, having different passwords for each account limits the amount of information an outsider can access.

Morey Haber, VP of Technology, BeyondTrust

For information technology administrators, the best way to raise security awareness among end users is to implement a plan that holds users accountable to the same security processes and procedures governing sensitive data and critical systems. While some might find that statement outrageous, recent breaches have shown that a standard workstation can be used to compromise an entire environment, whether through spear phishing, a user having excessive privileges, an unmitigated vulnerability, and lateral movement. Therefore, using security best practices as a guideline, I would recommend the top three changes to raise security awareness and secure users:

1. Workstations can be just as sensitive as servers -- based on the data they access, and users that login into them. With that in mind, companies should follow a least privileged model for their users accessing systems. Users login to the workstations as standard users, not administrators, and are only granted access to the local operating system and applications onan as-needed permission basis. This mitigates improper changes to the system, malware that needs administrative access to install, and can stop many exploits dead in their tracks since they do not have the permissions needed to compromise the system. And too raise awareness, when administrative changes are required, the system properly documents / logs the activity to know what was actually done as an admin.
2. Security Patches are not just a process that should operate seamlessly under the hood. When systems fall out of compliance due to a faulty process, or a leave of absence, end users should be aware they are not running in a safe computing environment and have the option to contact the helpdesk or manually approve auto updaters to execute. This allows self help to bring a system into compliance and minimize downtime.
3. Training. Users need to be aware of what a safe computing environment is and what it means. They need to understand what symptoms are exhibited when a compromise occurs (even though many times systems still behave flawlessly), what a real and fake password prompt is and looks like when an email is really malicious, etc. Without the proper training, just like learning where the nearest fire escape route is, the burden of security falls solely on IT professionals. Having vigilance throughout the teams helps keep the basic types of attacks at bay and your users and systems safe.

Rick Howard, CSO, Palo Alto Networks:

I think the biggest mistake security awareness programs make is to try to train the non-technical employees about what the deep level geek employees already know. For example, let me teach you how to look for a phishing email message. I have been in the business for 25 years and I still can't pick some of those messages out of the hundreds I read every day. To expect a non-technical employee to do it on a regular basis is crazy. It is frustrating for the non-technical employees, overwhelming and a bit scary. Good security awareness programs help all employees know where to get help: who they should call when there is trouble and where they can look for guidance in terms of policies. Most importantly, they should know that they will not be looked down on for making a mistake; that the security team's job is to help them through whatever difficulty they are having.

Joe Siegrist, CEO and co-founder of LastPass

The most critical element of an end user security awareness program should focus on password security, more specifically the risks of password reuse. These programs should also consider the establishment of a secondary factor for protection of critical systems, which relates to the concept of something you know (your password) plus something you have (your secondary factor).

Passwords are the first line of defense for companies against both internal and external threats. Whether or not a user is privileged, the passwords they use to access the company network and company accounts protect personal and corporate data.

Despite the critical security that passwords provide, many end users suffer from "password fatigue." People have so many passwords to remember for work and in their personal lives, that they will do anything to make passwords easier to remember and log in with. That means that many employees will use the same or similar passwords across multiple company accounts, which creates a significant security risk to the company and their assets. This is not a theoretical risk; thousands of companies, big and small, have had critical security breaches as a result of end users using the same password on personal and work sites.

To really enforce a successful password security program, companies need to go beyond education. In addition to raising awareness about how employees are endangering the business, the company should provide a tool that will make passwords more manageable for end users, and requires use of a secondary factor to protect company passwords.

Karl Weintz, President & CEO of Sonavation

Weakly secured enterprise networks give hackers an easy opportunity to access and intrude upon highly sensitive materials. Default passwords and use of an open wifi network leave many of our mobile and computing devices vulnerable. A top priority of any security professional should be to implement a multifactor authentication solution which places an additional layer of security on accounts. Biometric authentication is the most advanced solution, as it combines something you know (password) with something you are (fingerprint).

Rob Kraus, Director of Security Research and Strategy, Solutionary

Get six free posters

Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.

Download Now

Specific element: consistency. Successfully educating end users in the art of “being secure” does not simply happen by attending a webinar, annual training, or taking a month to focus on cybersecurity. “Being secure” is something that is learned over time and eventually becomes a habit. For the security mindset to grab hold, we need to do just that, be consistent and reinforce the importance of information security in our daily personal and work lives.