Vulnerabilities / Threats //

Insider Threats

4/10/2014
08:00 AM
100%
0%

Majority Of Users Have Not Received Security Awareness Training, Study Says

Many users fail to follow policies on mobile, cloud security, EMA Research study says.

More than half of enterprise employees have received no security awareness training, and that lack of training is resulting in risky behavior, according to a study published Tuesday.

The survey of 600 employees, conducted by EMA Research and sponsored by training firm Security Mentor, indicates that 56 percent of workers say they have not had security or policy awareness training from their organizations. The remainder of employees (44 percent) say they have received annual training.

The absence of training leads to frequent violations of security policy, according to the study. Some 58 percent of respondents say they store company-sensitive information on their personal devices; 59 percent say they store work information on cloud services.

Thirty-five percent of the respondents say they have clicked on an email link from an unknown sender; 33 percent say they use the same password for both work and personal devices; 30 percent say they leave mobile devices unattended in their vehicles.

"People repeatedly have been shown as the weak link in the security program," says EMA Research analyst David Monahan, who authored the study. "Without training, people will click on links in email and release sensitive information in any number of ways. In most cases they don't realize what they are doing is wrong until a third-party makes them aware of it."

The full findings of the report will be outlined in a webcast on Apr. 15.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Bprince
100%
0%
Bprince,
User Rank: Ninja
4/17/2014 | 12:54:05 AM
Re: Security Awareness Training or lack of it
I find it hard to believe Johnrobie that security loses in a risk versus cost argument, but I suppose that given the survey's findings, it is entirely possible. Enterprises can design their own security awareness programs though so I would think that costs could be controlled. In the end, I think security awareness programs should just be another layer of layered security.

http://www.securingthehuman.org/resources/planning
Kwattman
50%
50%
Kwattman,
User Rank: Black Belt
4/14/2014 | 10:23:55 AM
Security awareness best practices
To add to prior conversation, these days, you need to have an employee security education and behavior management program in place which first establishes a baseline phish-prone percentage, then a thorough training program that covers the main attack vectors, and then a constant repetition that effectively influences the behavior of the employee at their place of work, which is right in their inbox they work out of every day.

The security awareness program administrator needs to think like a PR/Marketing manager. They need to promote the program, "sell" it to the whole organization, and make it as easy as possible to deploy the program with the minimum amount of disruption and loss of time.

The easiest way to do this is to send all employees regular simulated phishing attacks using various topics like banking, current events, IT, healthcare, social networking and more. If an employee clicks on a link, they get instant feedback they clicked on a phishing link. These clicks get tracked and reported to the program administrator.  the program administrator can then work with HR to get the employee better trained and if repeated over and over with no change, determine what kind of improvement process needs to take place in alignment with individual company policies. This makes it cooperative and not just an IT problem.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/14/2014 | 9:01:29 AM
Re: Security Awareness Training or lack of it
I really like your idea about making people more aware of their organizations' InfoSec services/solutions in order to help them make better decisions. As an end-user (not an InfoSec pro) I would greatly appreciate whatever assistance the security team can give me that shrinks my "know-do" gap. 
JasonSachowski
50%
50%
JasonSachowski,
User Rank: Author
4/14/2014 | 8:45:53 AM
Re: Security Awareness Training or lack of it
You could tie this back to individual performance ratings but are able to 100% guarantee that every alert/event generated was intentional and that it was not a result of other factors (ex. malware propogation)?

Could we say that the completion of scheduled awareness training, on whatever frequency, should be mandatory to remain employed?  In that context, most organizations have established this requirement for employee acceptance of the business conduct policies so the addition of security awareness training under this same requirement makes sense.  While there are security topics that must be covered throughout an organization, there might be different levels to this training depending on role or job functions.  Keep it simply and short by making security topics relevant, direct, and in practical (non-technical) language.

Aside from the scheduled awareness training, we have to look for ways to improve the marketting of our InfoSec services/solutions so that our employees are better equipped to make educated decisions and reduce the "know-do" gap.  This strategy can be used to fill the time between schedule training and further educate employees on new and/or existing security best practices, indiustry happenings, or at-home advice.  With employees becoming much more mobile, it would be better to avoid generating "security reports" and focus more on using other means of communication such as informational posters on bulletin boards, rotational advertisements on internal displays, or even online forums to collaborate.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/11/2014 | 1:06:44 PM
Re: Security Awareness Training or lack of it
@JasonSachowski, you hit the nail on the head with your point about making user awareness personal and relevant to people's jobs. But how do you do that? Tie it to job performance? 
JasonSachowski
100%
0%
JasonSachowski,
User Rank: Author
4/11/2014 | 12:47:48 PM
Re: Security Awareness Training or lack of it
Not only should we conduct security awareness using industry best practices but to expand on @Kwattman comments below, we have to make it more personal and relevant to their jobs/lives to make it truly effective.  There is most likely a percentage of every organization's workforce that does not truely understand what services/solutions are offered through their InfoSec teams that they can use to stay secure or even how they as an employee contribute to the overall security posture of their organization.
Kwattman
50%
50%
Kwattman,
User Rank: Black Belt
4/11/2014 | 11:44:09 AM
Re: Security Awareness Training or lack of it
KnowBe4's Kevin Mitnick Security Awareness Training, Wombat, PhishMe are some of the top programs. Gartner is doing an MQ on the field this fall as the need has grown so much and will publish around October. 
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
4/11/2014 | 11:36:16 AM
Re: Security Awareness Training or lack of it
True statement, once a year is not sufficient. Do you have examples of other programs?
Kwattman
50%
50%
Kwattman,
User Rank: Black Belt
4/11/2014 | 11:32:18 AM
Re: Security Awareness Training or lack of it
Part of the problem is the 1x a year ineffective training gives security awareness a bad name. Users need behavior training that is closely tied with their work flow so they can get used to proper behavior. You have to tie it to something that makes sense to the user for it to be remembered easily. And do it repeatedly. That way it becomes instictive and when the user is rushed or behind in his/her work, they will still take the time to think about what they are doing. But they have to notice - and the only way to get that to happen is to bring awareness up and make it personal. There are some great programs that do this.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/10/2014 | 12:23:11 PM
Re: Security Awareness Training or lack of it
I'm curious to know whether those who received training believed that it was worthwhile. And if not, what they thiink would be more effective. 
Page 1 / 2   >   >>
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Oracle Product Rollout Underscores Need for Trust in the Cloud
Kelly Sheridan, Associate Editor, Dark Reading,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.