Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

10/27/2016
01:30 PM
Lance Spitzner
Lance Spitzner
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

How To Build A Strong Security Awareness Program

To become more secure, focus your training and manage your top risks.

At the Security Awareness Summit this August in San Francisco, a video clip was shown that highlights the need to develop holistic security awareness. The segment showed an employee being interviewed as a subject matter expert in his office cubicle. Unfortunately, all his usernames and passwords were on sticky notes behind him, facing the camera and audience for all to see.

I bring this story up not to pick on this poor chap but to highlight the fact that security awareness is about human behavior, first and foremost. Understand that point and you are well on your way to building a more secure culture and organization.

My work as director of the Security Awareness Training program at the SANS Institute affords me a view across hundreds of organizations and hundreds of thousands of employees trying to build a more secure workforce and society. As we near the end of this year's National Cyber Security Awareness Month, here are two tips to incorporate robust security awareness training into your organization and daily work.

1. Focus the Training
Changing behavior is hard. But security awareness training shouldn't be. Most training is just too hard for many users. "Too hard" has many definitions: Too long. Too much. Too often. Too boring. Too many behaviors. In general, many organizations make the mistake called cognitive overload, which is when you dump so much on employees that they simply forget it all. Sound familiar?  There is a better way. Keep the training short and sweet and focused on what will really mitigate your risks. Avoid cognitive overload by taking the time up front to ensure engagement and relevance. 

2. Manage the Top Three
To build a mature security awareness program, you need to identify your top human risks and focus on them. Too often, organizations attempt to eliminate all human risk by covering too many topics. As a result, employees are bombarded with numerous, haphazard behaviors they must follow and too many messages, resulting in cognitive overload.

Often the hardest part of awareness is not determining what to train on, but determining what to cut and not include. One key step is to conduct a human risk assessment for your organization. When I look across the more than a thousand clients we work with and the results of this year's Verizon Database Investigations Report (where over half of the breaches in 2015 were human factor-related), three big human risks emerge.

  • Phishing: The focus here is on the behaviors we need to develop so people know the indicators of a phishing attack along with what to do when they detect such an attack as well as how to report such an attack and feel comfortable doing so. Note the nuance here. Focus on the secure behaviors needed to thwart an attack. Unfortunately, phishing is where many awareness programs not only start but also end. Phishing training is an important part of building a holistic security awareness program, but it's not enough by itself."
  • Passwords: The most critical aspect of password security is how people use their passwords. Are they sharing their passwords with coworkers? Are they setting unique passwords for each site? I love passphrases and password managers because they help address the underlying behavioral element of password security. And the ultimate solution whenever possible? Two-step verification.
  • Accidental: While deliberate attacks are a fact of life, many security issues arise from simple employee accidents or oversight. Leaving your mobile phone in a cab, freely sharing documents without realizing they have highly sensitive data in them, or accidently emailing the wrong person because auto-complete in your email client set the recipient to the wrong (but similar) name.

These top three are a good start, but what's important is managing the risk presented by humans in and around your organization, so take the time to understand what matters for your company and create your own top three. 

Related Content:

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

Lance Spitzner is an internationally recognized leader in the field of cyber threat research and security training and awareness. He sits on the board of the National Cyber Security Alliance and helped develop and implement numerous multi-cultural security awareness programs ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
CVE-2020-27774
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
CVE-2020-27775
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...