Today in cybersecurity, it is all too common to quickly point to people as being the weakest link in an organization. Human error is indeed the most significant cause of security incidents, yet security training for employees usually remains on the bottom of the priority list. Is it fair to blame the users if businesses are spending most of their time, money, and other resources on keeping the bad guys out? What would happen if some of those resources were used to help keep the employees out of trouble? Sure some of the tools purchased are supposed to automate safekeeping, but imagine the gains of helping employees make smarter decisions to protect data?
A well-executed security awareness programs can change user’s behavior and in turn, strengthen the whole organization. At the heart of an awareness program is building a process that identifies risky habits and replaces them with secure ones. Luckily, there is a great deal of well-modeled data out there for crafting awareness programs. NIST Special Publication 800-50 “Building an Information Technology Security Awareness and Training Program” by the National Institute of Standards and Technology is a fantastic guide for building a security awareness life cycle.
The publication recommends to include educational, awareness-based content as well as skill development to help employees understand the threats they face and the right action to prevent security incidents. Outlined in the report are several types of awareness materials suggested to include in a program. From posters to instructor lead education, most of the options are static and often delivered one time. However, this is a very manual, time-consuming process, with delayed results.
Many studies prove that training has a more significant impact when done alongside the behavior that needs modification. Tools that can implement smart security awareness more dynamically and in real-time have shown a higher success rate. And with the gap of hundreds of thousands of cyber jobs unfilled, the ideal situation is to have tools that implement and prove value quickly.
Reveal was built to look for patterns and behaviors that signify problems with insiders within an organization. The visibility and detection offered by the platform are of the highest level of detail. As part of our latest release, version 5, we added the ability to use the event data to deal with suspicious and potentially problematic behavior automatically. One particular aspect of the automated response is the out of the box policy packs geared to create awareness towards the users.
Examples of awareness topics:
Uncommon/dangerous software
Data storage
Encryption usage
WiFi usage
System access control
Protection of confidential materials from third parties
Acceptable internet usage
These out of the box policies also allow us to score the individuals who constitute as the riskiest. A security analyst can use the scoring data to laser in focus on key individuals and put them under focused observation. Or at full scope, the security team can trend out the effectiveness of the training by looking at a report of offenses over a timeline. Like any robust process, constant monitoring of compliance is critical, and Reveal can show you the performance of your training over time.
A typical scenario–a vital scientist of a biotech firm is heading to a major industry conference. While on the plane a thought occurs of an urgent task that needs doing. As soon as they land, they crack open a laptop and find the first available WiFi signal and complete the work. Now, of course, as IT/security professionals, it is easy to think of all the terrible reasons why not to use random public WiFi. However, this scientist probably doesn’t have an awareness of potential issues and is hyper-focused on the urgent task. A solution that can educate the user at the point in time will be able to prescribe some best practices.
With the Reveal out-of-the-box training policies, an on-screen message notification acts as a way to provide immediate, highly relevant user training as they commit acts which could endanger your company’s data, even inadvertently. In the case of the traveling scientist, the message could be something as simple as notifying the user to sign onto corporate VPN while on public WiFi. The message accomplishes the goal of creating awareness at the time it matters most.
Another application of training policies can be warning users that the file they are trying to upload to non-sanctioned cloud storage contains company confidential and proprietary information. The instant feedback based on action resonates with the user and potentially prevents a leak.
Employees are the first line of defense when combating many incidents, both insider threats, and external attacks. Security awareness training for new employees, experienced workers, management, and part-timers reinforces good cyber prevention for the whole company. Let the team at Next DLP help you quickly implement a program to increase security awareness with your users.