Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Majority Of Users Have Not Received Security Awareness Training, Study Says
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Bprince
Bprince,
User Rank: Ninja
4/17/2014 | 12:54:05 AM
Re: Security Awareness Training or lack of it
I find it hard to believe Johnrobie that security loses in a risk versus cost argument, but I suppose that given the survey's findings, it is entirely possible. Enterprises can design their own security awareness programs though so I would think that costs could be controlled. In the end, I think security awareness programs should just be another layer of layered security.

http://www.securingthehuman.org/resources/planning
Kwattman
Kwattman,
User Rank: Black Belt
4/14/2014 | 10:23:55 AM
Security awareness best practices
To add to prior conversation, these days, you need to have an employee security education and behavior management program in place which first establishes a baseline phish-prone percentage, then a thorough training program that covers the main attack vectors, and then a constant repetition that effectively influences the behavior of the employee at their place of work, which is right in their inbox they work out of every day.

The security awareness program administrator needs to think like a PR/Marketing manager. They need to promote the program, "sell" it to the whole organization, and make it as easy as possible to deploy the program with the minimum amount of disruption and loss of time.

The easiest way to do this is to send all employees regular simulated phishing attacks using various topics like banking, current events, IT, healthcare, social networking and more. If an employee clicks on a link, they get instant feedback they clicked on a phishing link. These clicks get tracked and reported to the program administrator.  the program administrator can then work with HR to get the employee better trained and if repeated over and over with no change, determine what kind of improvement process needs to take place in alignment with individual company policies. This makes it cooperative and not just an IT problem.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/14/2014 | 9:01:29 AM
Re: Security Awareness Training or lack of it
I really like your idea about making people more aware of their organizations' InfoSec services/solutions in order to help them make better decisions. As an end-user (not an InfoSec pro) I would greatly appreciate whatever assistance the security team can give me that shrinks my "know-do" gap. 
JasonSachowski
JasonSachowski,
User Rank: Author
4/14/2014 | 8:45:53 AM
Re: Security Awareness Training or lack of it
You could tie this back to individual performance ratings but are able to 100% guarantee that every alert/event generated was intentional and that it was not a result of other factors (ex. malware propogation)?

Could we say that the completion of scheduled awareness training, on whatever frequency, should be mandatory to remain employed?  In that context, most organizations have established this requirement for employee acceptance of the business conduct policies so the addition of security awareness training under this same requirement makes sense.  While there are security topics that must be covered throughout an organization, there might be different levels to this training depending on role or job functions.  Keep it simply and short by making security topics relevant, direct, and in practical (non-technical) language.

Aside from the scheduled awareness training, we have to look for ways to improve the marketting of our InfoSec services/solutions so that our employees are better equipped to make educated decisions and reduce the "know-do" gap.  This strategy can be used to fill the time between schedule training and further educate employees on new and/or existing security best practices, indiustry happenings, or at-home advice.  With employees becoming much more mobile, it would be better to avoid generating "security reports" and focus more on using other means of communication such as informational posters on bulletin boards, rotational advertisements on internal displays, or even online forums to collaborate.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/11/2014 | 1:06:44 PM
Re: Security Awareness Training or lack of it
@JasonSachowski, you hit the nail on the head with your point about making user awareness personal and relevant to people's jobs. But how do you do that? Tie it to job performance? 
JasonSachowski
JasonSachowski,
User Rank: Author
4/11/2014 | 12:47:48 PM
Re: Security Awareness Training or lack of it
Not only should we conduct security awareness using industry best practices but to expand on @Kwattman comments below, we have to make it more personal and relevant to their jobs/lives to make it truly effective.  There is most likely a percentage of every organization's workforce that does not truely understand what services/solutions are offered through their InfoSec teams that they can use to stay secure or even how they as an employee contribute to the overall security posture of their organization.
Kwattman
Kwattman,
User Rank: Black Belt
4/11/2014 | 11:44:09 AM
Re: Security Awareness Training or lack of it
KnowBe4's Kevin Mitnick Security Awareness Training, Wombat, PhishMe are some of the top programs. Gartner is doing an MQ on the field this fall as the need has grown so much and will publish around October. 
Randy Naramore
Randy Naramore,
User Rank: Ninja
4/11/2014 | 11:36:16 AM
Re: Security Awareness Training or lack of it
True statement, once a year is not sufficient. Do you have examples of other programs?
Kwattman
Kwattman,
User Rank: Black Belt
4/11/2014 | 11:32:18 AM
Re: Security Awareness Training or lack of it
Part of the problem is the 1x a year ineffective training gives security awareness a bad name. Users need behavior training that is closely tied with their work flow so they can get used to proper behavior. You have to tie it to something that makes sense to the user for it to be remembered easily. And do it repeatedly. That way it becomes instictive and when the user is rushed or behind in his/her work, they will still take the time to think about what they are doing. But they have to notice - and the only way to get that to happen is to bring awareness up and make it personal. There are some great programs that do this.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/10/2014 | 12:23:11 PM
Re: Security Awareness Training or lack of it
I'm curious to know whether those who received training believed that it was worthwhile. And if not, what they thiink would be more effective. 
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-41340
PUBLISHED: 2022-09-24
The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery.
CVE-2022-23463
PUBLISHED: 2022-09-24
Nepxion Discovery is a solution for Spring Cloud. Discover is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver’s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression to reach and interact with Java classes suc...
CVE-2022-23464
PUBLISHED: 2022-09-24
Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnerable to a potential Server-Side Request Forgery (SSRF). RouterResourceImpl uses RestTemplate’s getForEntity to retrieve the contents of a URL containing user-controlled input, potentially resulting in Information...
CVE-2022-23461
PUBLISHED: 2022-09-24
Jodit Editor is a WYSIWYG editor written in pure TypeScript without the use of additional libraries. Jodit Editor is vulnerable to XSS attacks when pasting specially constructed input. This issue has not been fully patched. There are no known workarounds.
CVE-2022-36025
PUBLISHED: 2022-09-24
Besu is a Java-based Ethereum client. In versions newer than 22.1.3 and prior to 22.7.1, Besu is subject to an Incorrect Conversion between Numeric Types. An error in 32 bit signed and unsigned types in the calculation of available gas in the CALL operations (including DELEGATECALL) results in incor...