Tuesday 10 May 2016

User education and management - ’10 Steps to Cyber Security’

The governments ‘10 Steps to Cyber Security’ guidelines flags user education as a vital component in any security policy focusing specifically on acceptable and unacceptable behaviours. In fact, we think education provides the building blocks for good security. 

User education is about raising awareness about the risks and dangers that can arise from a slack approach to security. This can be anything from bringing USB sticks into the workplace and plugging them into computers or a lack of understanding about social engineering and phishing. 

The weakest link

Within this context, the weakest link in the business can be employees that lack IT security knowledge. Leading-edge technology can be irrelevant if employees are not aware or educated on a comprehensive security policy. 

Spear phishing attacks, for instance, can be particularly damaging. A few years ago, RSA, a high profile security company, and its cryptography keys were compromised in spear phishing attack. 

The company was breached after attackers sent two different targeted phishing emails to four workers at its parent company, EMC. The emails contained a malicious attachment that was identified in the subject line as 2011 Recruitment plan.xls. One of the recipients eventually opened the infected spreadsheet that led to the breach. In this respect, education is crucial. 

Do not avoid awareness 

None of the recipients were people who would normally be considered high-profile or high-value targets, such as an executive or an IT administrator with special network privileges. However, that didn’t matter. The malware had been unleashed. Once a spear phishing email makes it through filters and other similar technologies, the user element really comes into play, which is what the hackers were depending on.

When educating users, awareness is only the first step. Training must also be used. It provides people with a fixed body of knowledge which they can be tested on. 

Strength in depth

Training can take place in incremental steps or be focused on specific business requirements. It doesn't need to be a sweeping one-size fits all programme, it can be bespoke, targeting a specific department or focusing on remediating certain behaviours. 

One thing is certain, a trained and educated workforce will dramatically reduce the chances of your organisation ending up as headline news or seeing its valuable customer information for sale on the dark web. 

No comments:

Post a Comment