Leon Erlanger is a freelance writer, consultant, and former PC Magazine Executive Editor who has spent the past eight ...
Many of today’s targeted attacks, advanced persistent threats and other devastating intrusions exploit the weakest link in the enterprise network—users. Amazingly, these users are often very sophisticated in terms of security, yet they often fall for simple tricks such as attachments in generic looking emails or phone calls asking them to divulge their login information. Others store confidential files at insecure file sharing services for use on the road or email them using personal, less protected email services.
Many think that the best answer to social engineering exploits and carelessness is effective employee security education. But interestingly, a growing number are saying don’t bother, as experiments have proven again and again that no matter how much you educate your employees, even the most educated and knowledgeable among them will continue to do stupid things, and it doesn’t take too many stupid things to get attacked successfully.
The answer most likely lies in the middle. Organizations would be irresponsible if they didn’t educate employees effectively about security policies, best practices, and their responsibilities. But as with any layer in a multilayered security strategy, assume education won’t work and take other measures to protect your network when the next employee does that stupid thing.
Employee security education should be:
Frequent: Employees should receive training more than once when they join the company or once a year.
Relevant: Employees need to be aware of the real-world risks of data theft, malware, and other threats, not just generically but to your particular organization if they don’t follow prudent practices. It’s also helpful to relate company security to the security of employees’ personal devices to keep them interested.
Role-based: Not everyone needs the same type of training. It’s best to have core security training for your entire company and then separate modules targeted to users’ data access and job responsibilities.
Up-to-Date: Education strategies and content should be continually updated to reflect current threats and trends, which change and evolve rapidly.
Interactive: Lectures aren’t going to make it. Employees need a forum to ask questions and exercises, discussions, games, and competitions to digest information adequately.
Multi-faceted: Posters, blog posts, newsletters, screen savers, competitions, attack simulations, and other methods can bring constant reminders to users who may forget to be vigilant without an occasional nudge.
Enforced: Employees must know that there will be consequences for falling for social engineering techniques they have been trained to avoid or engaging in activities that put the company at risk.
Once you assume that education won’t work, you then have to guard your network against the damage that can result from employee carelessness or bad intentions. These include:
This is just the most common subset of measures to protect your organization’s sensitive information. Your measures may vary. What is important to remember is not to depend too much on employee education. There’s one in every bunch.