Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Majority Of Users Have Not Received Security Awareness Training, Study Says
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Bprince
100%
0%
Bprince,
User Rank: Ninja
4/17/2014 | 12:54:05 AM
Re: Security Awareness Training or lack of it
I find it hard to believe Johnrobie that security loses in a risk versus cost argument, but I suppose that given the survey's findings, it is entirely possible. Enterprises can design their own security awareness programs though so I would think that costs could be controlled. In the end, I think security awareness programs should just be another layer of layered security.

http://www.securingthehuman.org/resources/planning
Kwattman
50%
50%
Kwattman,
User Rank: Black Belt
4/14/2014 | 10:23:55 AM
Security awareness best practices
To add to prior conversation, these days, you need to have an employee security education and behavior management program in place which first establishes a baseline phish-prone percentage, then a thorough training program that covers the main attack vectors, and then a constant repetition that effectively influences the behavior of the employee at their place of work, which is right in their inbox they work out of every day.

The security awareness program administrator needs to think like a PR/Marketing manager. They need to promote the program, "sell" it to the whole organization, and make it as easy as possible to deploy the program with the minimum amount of disruption and loss of time.

The easiest way to do this is to send all employees regular simulated phishing attacks using various topics like banking, current events, IT, healthcare, social networking and more. If an employee clicks on a link, they get instant feedback they clicked on a phishing link. These clicks get tracked and reported to the program administrator.  the program administrator can then work with HR to get the employee better trained and if repeated over and over with no change, determine what kind of improvement process needs to take place in alignment with individual company policies. This makes it cooperative and not just an IT problem.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/14/2014 | 9:01:29 AM
Re: Security Awareness Training or lack of it
I really like your idea about making people more aware of their organizations' InfoSec services/solutions in order to help them make better decisions. As an end-user (not an InfoSec pro) I would greatly appreciate whatever assistance the security team can give me that shrinks my "know-do" gap. 
JasonSachowski
50%
50%
JasonSachowski,
User Rank: Author
4/14/2014 | 8:45:53 AM
Re: Security Awareness Training or lack of it
You could tie this back to individual performance ratings but are able to 100% guarantee that every alert/event generated was intentional and that it was not a result of other factors (ex. malware propogation)?

Could we say that the completion of scheduled awareness training, on whatever frequency, should be mandatory to remain employed?  In that context, most organizations have established this requirement for employee acceptance of the business conduct policies so the addition of security awareness training under this same requirement makes sense.  While there are security topics that must be covered throughout an organization, there might be different levels to this training depending on role or job functions.  Keep it simply and short by making security topics relevant, direct, and in practical (non-technical) language.

Aside from the scheduled awareness training, we have to look for ways to improve the marketting of our InfoSec services/solutions so that our employees are better equipped to make educated decisions and reduce the "know-do" gap.  This strategy can be used to fill the time between schedule training and further educate employees on new and/or existing security best practices, indiustry happenings, or at-home advice.  With employees becoming much more mobile, it would be better to avoid generating "security reports" and focus more on using other means of communication such as informational posters on bulletin boards, rotational advertisements on internal displays, or even online forums to collaborate.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/11/2014 | 1:06:44 PM
Re: Security Awareness Training or lack of it
@JasonSachowski, you hit the nail on the head with your point about making user awareness personal and relevant to people's jobs. But how do you do that? Tie it to job performance? 
JasonSachowski
100%
0%
JasonSachowski,
User Rank: Author
4/11/2014 | 12:47:48 PM
Re: Security Awareness Training or lack of it
Not only should we conduct security awareness using industry best practices but to expand on @Kwattman comments below, we have to make it more personal and relevant to their jobs/lives to make it truly effective.  There is most likely a percentage of every organization's workforce that does not truely understand what services/solutions are offered through their InfoSec teams that they can use to stay secure or even how they as an employee contribute to the overall security posture of their organization.
Kwattman
50%
50%
Kwattman,
User Rank: Black Belt
4/11/2014 | 11:44:09 AM
Re: Security Awareness Training or lack of it
KnowBe4's Kevin Mitnick Security Awareness Training, Wombat, PhishMe are some of the top programs. Gartner is doing an MQ on the field this fall as the need has grown so much and will publish around October. 
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
4/11/2014 | 11:36:16 AM
Re: Security Awareness Training or lack of it
True statement, once a year is not sufficient. Do you have examples of other programs?
Kwattman
50%
50%
Kwattman,
User Rank: Black Belt
4/11/2014 | 11:32:18 AM
Re: Security Awareness Training or lack of it
Part of the problem is the 1x a year ineffective training gives security awareness a bad name. Users need behavior training that is closely tied with their work flow so they can get used to proper behavior. You have to tie it to something that makes sense to the user for it to be remembered easily. And do it repeatedly. That way it becomes instictive and when the user is rushed or behind in his/her work, they will still take the time to think about what they are doing. But they have to notice - and the only way to get that to happen is to bring awareness up and make it personal. There are some great programs that do this.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/10/2014 | 12:23:11 PM
Re: Security Awareness Training or lack of it
I'm curious to know whether those who received training believed that it was worthwhile. And if not, what they thiink would be more effective. 
Page 1 / 2   >   >>


News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.
CVE-2021-3163
PUBLISHED: 2021-04-12
A vulnerability in the HTML editor of Slab Quill 4.8.0 allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field.
CVE-2019-15059
PUBLISHED: 2021-04-12
In Liberty lisPBX 2.0-4, configuration backup files can be retrieved remotely from /backup/lispbx-CONF-YYYY-MM-DD.tar or /backup/lispbx-CDR-YYYY-MM-DD.tar without authentication or authorization. These configuration files have all PBX information including extension numbers, contacts, and passwords.
CVE-2021-21524
PUBLISHED: 2021-04-12
Dell SRM versions prior to 4.5.0.1 and Dell SMR versions prior to 4.5.0.1 contain an Untrusted Deserialization Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to arbitrary privileged code execution on the vulnerable application. The severity is Cr...