Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/23/2021
04:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Organizations Making Little Headway in Addressing Human Risk

Most enterprise security awareness efforts remain half-hearted, a new SANS survey shows.

Though human errors — such as falling for phishing scams that result in data compromise or credential theft — remain one of the top security risks for organizations today, few appear to be making much progress in addressing the problem.

The sixth and latest edition of the SANS Institute's annual security awareness report, released Tuesday, shows that enterprise initiatives for minimizing human risk continue to be little more than a part-time effort at many organizations.

Related Content:

9 New Tactics to Spread Security Awareness

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: 3 Classes of Account Fraud That Can Cost Your Company Big Time

The survey of over 1,500 professionals involved in security awareness training found 75% spend less than half their time on that task. When responsibility for the function was assigned, it went commonly to staff with overly technical backgrounds and not enough skills for engaging the workforce in easy-to-understand terms.

"Overall, the data is trending the same" as in previous years, says Lance Spitzner, SANS security awareness director and co-author of the report. "Awareness continues to be a part-time effort, which is why so many organizations are struggling to effectively secure employee behavior and ultimately manage human risk."  

A lack of time and personnel continue to pose big challenges for organizations seeking to build a mature security awareness program, the survey found. Organizations that had made progress in changing employee behaviors with their awareness programs had at least 2.5 full-time equivalent employees dedicated to the mission. Organizations with the most mature awareness programs had at least 3.5 full-time employees.

However, SANS found the percentage of organizations that actually reported having staff of any size dedicated full time to the security awareness function was low.

"Roughly 10% of organizations out there — represented by our respondents — have someone dedicated full time" to security awareness, Spitzner says. "That is similar to what we have seen over the past surveys, [so] no real change there."  

In most other cases, when an organization has someone working in security awareness, that person is in IT or security and already has numerous other responsibilities, he notes. The SANS survey found salaries, on average, were higher for individuals in other roles handling security awareness on a part-time basis ($106,00) than for individuals dedicated to the role on a full-time basis ($96,000).

As in past surveys, SANS polled respondents on their backgrounds and roles prior to working in security awareness: More than 800 of the 1,500 surveyed professionals had backgrounds in information security or information technology before they began work in security awareness. Less than 20% had a nontechnical background, such as marketing, communications, legal, and human resources. 

The problem with having people with overly technical backgrounds performing training is they can have a harder time communicating and teaching security fundamentals to nontechnical people. Though a certain level of technical expertise is essential for working in security awareness, experts in the field can often perceive security as being easy to understand simply because it is part of their daily life, SANS observed in its report.

"Human risk is a people problem, so it takes a human solution" to address it, says Spitzner.

However, that does not mean completely nontechnical soft skills alone are enough for a security awareness role.  

"The awareness professional should be an extension of the security team," Spitzner notes. "This means they should have a basic understanding of cybersecurity, the models and frameworks involved, and perhaps a basic understanding of the technology and attackers involved."

They would also need to have a passion for learning and helping and have strong skills in communicating and partnering with others, he says.

The Right Focus
SANS said organizations should ensure that any person they put in charge of the security awareness function has a title that emphasizes the human risk aspect of the role — for example, "human risk officer." Often, organizational leaders have a tendency to discuss the role in the context of awareness, training, engagement, or influence.

But those terms focus on what's being done rather than why it needs to be done, Spitzner says. "Managing human risk" is a better fit, he says, because "it aligns with leadership's strategic security priorities and explains why awareness needs to be an extension of the security team."

SANS found that security awareness programs typically garner the strongest support from the information security and IT teams, as well as human resources, audit, and senior leadership. Conversely, the biggest opposition to these efforts typically existed within operational teams and the finance group — likely because these are two areas affected most by security awareness programs.

To address concerns from the finance group, SANS recommends security leaders focus on the value of security awareness programs. One way to do that would be to consider the cost of past breaches or compliance failures and compare it to the cost of the security awareness program. Similarly, to address the concerns of operational groups, the security awareness group should focus on ways to reduce lost work hours due to training — by, for example, reducing the number of topics to focus upon.

"Awareness is nothing more than another security control, one designed to manage human risk," Spitzner says. "Security teams need to be treating it as such."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23394
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.