Engaging Employees to Take Ownership of IT Security

Human errors cause the vast majority of information security breaches. Numerous studies, such as a report by the Ponemon Institute, have compiled statistics that attribute more than half of breaches to human elements. And it takes human beings – “an army of foot soldiers,” to quote my colleague John McClurg – to defend an organization’s information assets.

There is no silver technology bullet. Next-generation firewalls, anti-virus software, and endpoint data encryption are all necessary to safeguard valuable and often sensitive information.

The key to building that army is security awareness and training. As headlines continue to highlight breaches and the need for a strong security program, now is the time for people to take greater responsibility for the security of the information they work with every day. A trained and educated workforce is an organization’s best defense against increasingly sophisticated and persistent cybercriminals.

Organizations with a security awareness program are 50 percent less likely to have staff-related security breaches than those without awareness training, according to a 2012 study by PricewaterhouseCoopers. And though it’s virtually impossible to eliminate risk altogether, few measures, if any, are dollar-for-dollar as effective in reducing risk as security awareness training.

See Something? Say Something.
Raising awareness and instilling a sense of shared responsibility for protecting vital information assets is critical to securing them against the two most common threats: malicious insiders and external cybercriminals.

Insider threats are hard to discover with technology alone. Research at Carnegie Mellon University’s Computer Emergency Response Teams has repeatedly confirmed that most insider threats are first detected by other users who note something suspicious and report it – the cyber equivalent of ‘see something, say something.’ Users need training and awareness to know what to look out for, and must take responsibility for reporting it.

Ever more rapidly evolving threats come from outside the organization, where the energy and effort that cybercriminals are expending to compromise sensitive data are rising exponentially. The social engineering used to prey on our gullibility and emotions grows more sophisticated and elaborate every day. I recently received an email from the nurse at my child’s school alerting me to an accident on the playground and offering a link to the incident report. The email appeared to come from the school, contained my child’s name, as well as the correct name of the school nurse, yet it was a classic phishing attempt that I avoided only because I was aware of school policy against sharing such information via email.

Insider threats are hard to discover with technology alone. Most are first detected by other users who report something suspicious – the cyber equivalent of ‘see something, say something.’ 

Taking a Moment of Pause
An effective security awareness program teaches users to take what I call, ‘a moment of pause.’ Before reacting to any email containing links, users should inspect the message for suspicious indicators. This instinct to stop and examine email messages (or phone calls from people you don’t know) is the best defense against social engineering. It needs to become muscle memory for every user – not just a few cyber heroes – because threat actors are good at finding the people who are the most gullible and going after them.

Key features of a successful security awareness and training program include:

• Assessing the baseline level of security awareness within the organization to identify the gaps and develop a plan to address them.
• Testing should be on-going to reinforce training and create a culture of security across the entire workforce. Testing first, then training, then testing again can demonstrate improvement that acts as a positive motivator. Phishing tournaments and other forms of testing can be powerful teaching tools as employees see first-hand what social engineering tricks have fooled them.
• Response training gives first responders the skills and knowledge needed to effectively counter attacks. Understanding how to analyze spear phishing emails or phone calls to raise situational awareness, or how best to deal with a compromised system is critical. (Hint: rebooting the machine, a common first impulse, is destroying valuable evidence; instead, disconnect it from the network to cut an intruder’s access.)
• Threat detection is vital since reducing risk to zero is impractical and some human error is inevitable. Detecting a compromise quickly is key to mitigating damage and maintaining business continuity. We’ve never encountered an enterprise with 100 percent awareness and zero percent risk. Ultimately, someone in your organization is going to get phished. With that in mind, choosing an advanced threat detection security service that can detect the compromise of your machines, and reduce the time it takes to respond, will minimize the impact of that compromise.

___
Jon Ramsey is the Chief Technology Officer at Dell SecureWorks, which offers a comprehensive suite of services that help organizations teach their employees secure behaviour and how to reduce risk. They help employees understand that each individual is responsible for protecting an organization’s information assets and help build a culture of security. Explore Dell’s approach to security at Dell.com/Security.
© FrontLine Security 2014