Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/23/2021
04:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Organizations Making Little Headway in Addressing Human Risk

Most enterprise security awareness efforts remain half-hearted, a new SANS survey shows.

Though human errors — such as falling for phishing scams that result in data compromise or credential theft — remain one of the top security risks for organizations today, few appear to be making much progress in addressing the problem.

The sixth and latest edition of the SANS Institute's annual security awareness report, released Tuesday, shows that enterprise initiatives for minimizing human risk continue to be little more than a part-time effort at many organizations.

Related Content:

9 New Tactics to Spread Security Awareness

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: 3 Classes of Account Fraud That Can Cost Your Company Big Time

The survey of over 1,500 professionals involved in security awareness training found 75% spend less than half their time on that task. When responsibility for the function was assigned, it went commonly to staff with overly technical backgrounds and not enough skills for engaging the workforce in easy-to-understand terms.

"Overall, the data is trending the same" as in previous years, says Lance Spitzner, SANS security awareness director and co-author of the report. "Awareness continues to be a part-time effort, which is why so many organizations are struggling to effectively secure employee behavior and ultimately manage human risk."  

A lack of time and personnel continue to pose big challenges for organizations seeking to build a mature security awareness program, the survey found. Organizations that had made progress in changing employee behaviors with their awareness programs had at least 2.5 full-time equivalent employees dedicated to the mission. Organizations with the most mature awareness programs had at least 3.5 full-time employees.

However, SANS found the percentage of organizations that actually reported having staff of any size dedicated full time to the security awareness function was low.

"Roughly 10% of organizations out there — represented by our respondents — have someone dedicated full time" to security awareness, Spitzner says. "That is similar to what we have seen over the past surveys, [so] no real change there."  

In most other cases, when an organization has someone working in security awareness, that person is in IT or security and already has numerous other responsibilities, he notes. The SANS survey found salaries, on average, were higher for individuals in other roles handling security awareness on a part-time basis ($106,00) than for individuals dedicated to the role on a full-time basis ($96,000).

As in past surveys, SANS polled respondents on their backgrounds and roles prior to working in security awareness: More than 800 of the 1,500 surveyed professionals had backgrounds in information security or information technology before they began work in security awareness. Less than 20% had a nontechnical background, such as marketing, communications, legal, and human resources. 

The problem with having people with overly technical backgrounds performing training is they can have a harder time communicating and teaching security fundamentals to nontechnical people. Though a certain level of technical expertise is essential for working in security awareness, experts in the field can often perceive security as being easy to understand simply because it is part of their daily life, SANS observed in its report.

"Human risk is a people problem, so it takes a human solution" to address it, says Spitzner.

However, that does not mean completely nontechnical soft skills alone are enough for a security awareness role.  

"The awareness professional should be an extension of the security team," Spitzner notes. "This means they should have a basic understanding of cybersecurity, the models and frameworks involved, and perhaps a basic understanding of the technology and attackers involved."

They would also need to have a passion for learning and helping and have strong skills in communicating and partnering with others, he says.

The Right Focus
SANS said organizations should ensure that any person they put in charge of the security awareness function has a title that emphasizes the human risk aspect of the role — for example, "human risk officer." Often, organizational leaders have a tendency to discuss the role in the context of awareness, training, engagement, or influence.

But those terms focus on what's being done rather than why it needs to be done, Spitzner says. "Managing human risk" is a better fit, he says, because "it aligns with leadership's strategic security priorities and explains why awareness needs to be an extension of the security team."

SANS found that security awareness programs typically garner the strongest support from the information security and IT teams, as well as human resources, audit, and senior leadership. Conversely, the biggest opposition to these efforts typically existed within operational teams and the finance group — likely because these are two areas affected most by security awareness programs.

To address concerns from the finance group, SANS recommends security leaders focus on the value of security awareness programs. One way to do that would be to consider the cost of past breaches or compliance failures and compare it to the cost of the security awareness program. Similarly, to address the concerns of operational groups, the security awareness group should focus on ways to reduce lost work hours due to training — by, for example, reducing the number of topics to focus upon.

"Awareness is nothing more than another security control, one designed to manage human risk," Spitzner says. "Security teams need to be treating it as such."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-35475
PUBLISHED: 2021-06-25
SAS Environment Manager 2.5 allows XSS through the Name field when creating/editing a server. The XSS will prompt when editing the Configuration Properties.
CVE-2021-32716
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-U...
CVE-2021-32717
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
CVE-2021-32712
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
CVE-2021-32713
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.