When weighing up the biggest security hazards to an organisation, it may come as a surprise to discover that the end user within the organisation is often the first to compromise security.
Through no fault of their own, and mainly due to a lack of awareness, employees frequently open the virtual gates to attackers.
With the rise in cybercrime as well as the increase in the consumerisation of IT and BYOD, it is more important than ever to fully educate employees about security attacks and protection.
Although BYOD has given them an increased level of flexibility, it has also given the end user even more potential to cause security breaches.
Threat actors actively target end-users as a primary route to compromise. Some criminals may be targeting the end-user directly, for example to conduct financial fraud, others will be leveraging the user to gain access to the organisations IT infrastructure.
It is important to note that threat actors can target end users on their home networks and mobile devices, who will then unwittingly bring the “infection” inside the organisation.
Increasingly these days, the criminals use a technique called spear phishing; an attacker sends a highly targeted email, often with personal contextual details that fools the user into clicking a link and, unknown to them, downloading malware.
Once this has been downloaded, it provides access to the end users device which is used as a launch point to harvest network information and expand control inside the network.
Due to the detrimental ramifications, it is vital that end users have a full understanding of the most common ways for threat actors to target them.
This includes educating employees that they will be targeted, encouraging them to be vigilant at all times, teaching employees what qualifies as sensitive data, how to identify and avoid threats, acceptable use policies and security policies.
It’s also crucial that end users understand their role and responsibilities in maintaining the organisation’s compliance with relevant regulations, such as PCI DSS for payment card data or HIPAA for health records.
In short, educating the work force is critical and is a key requirement of information security standards such as ISO27001.
There are a number of ways that security awareness training can be delivered to end users. The most popular tends to be the e-learning variety, where online courses covering the essentials of security awareness are mandated for all employees.
This would teach the user that they are a target, how to look out for social engineering and phishing, password security, handling of sensitive data, plus any specific compliance-driven requirements.
This is good for compliance and building a basic level of awareness, but it might not engage the user as well as it could.
The most effective way the CIO can deliver practical and memorable education is to make it real and physically demonstrate what can be achieved as a result of an attack.
Taking employees through a real life example of someone clicking an email which looks authentic presents what takes place behind the scenes and makes evident the power the attacker acquires.
This illustrates precisely what a threat entails in an easy to understand and influential manner.
BYOD means users must be aware of the risks and responsible for their own ongoing security, as well as the business.
Employees who manage both their work and private lives on one device access secure business information, as well as personal information such as passwords and pictures.
Ensuring that they know the right procedures for accessing and protecting business information is crucial.
Making it personal and teaching employees how to protect their own data adds value by highlighting how a threat could impact their personal life as well as their employer.
Implementing best practice will then become second nature as people adopt the same practices in both their personal and professional lives.
While giving consideration to security awareness training to the whole organisation, special thought must be given to the education of an even more crucial group – the senior management team.
Most members of most SMTs have very little knowledge or awareness of information security as it’s not their domain and it’s traditionally something that’s delegated.
However news today is filled with companies suffering severe reputational damage, and in some cases ceasing trading, due to information security breaches.
Getting time with the SMT to present a high-level analysis of the risks faced by a business and market, and giving examples of businesses not taking those risks seriously enough, should be high on any CIO or CISOs priority list. It will also help when trying to secure investment to mitigate those risks.
Although end user education will help to prevent the risk of human error, it’s impossible to eliminate it completely.
Protection of assets and detection of malicious activity is just as important, if not more so; the CIO needs to protect end users from their own mistakes.
Processes and technology can be put in place to limit and control what information end users can access within a network as well as the actions they can take.
>See also: The 2014 cyber security roadmap
In order to take control and minimise risks, end users should only have access to the information necessary for them to perform their roles.
As a final point to consider, the security of an organisation relies on detection. Prevention is important but detection is crucial.
The key to tackling threats is determining what normal behaviour is, as an enabler for the identification of anomalous activity.
If an organisation understands their baseline then this makes it a lot easier to spot abnormalities, such as excessive access to information or out of the ordinary access requests.
Sourced from Sourced from Chris Yule, principal security consultant, Dell SecureWorks