Logo Header Menu

Educating the end user and eliminating the biggest security risk

'The most effective way the CIO can deliver practical and memorable education is to make it real' Educating the end user and eliminating the biggest security risk image

When weighing up the biggest security hazards to an organisation, it may come as a surprise to discover that the end user within the organisation is often the first to compromise security.

Through no fault of their own, and mainly due to a lack of awareness, employees frequently open the virtual gates to attackers.

With the rise in cybercrime as well as the increase in the consumerisation of IT and BYOD, it is more important than ever to fully educate employees about security attacks and protection.

Although BYOD has given them an increased level of flexibility, it has also given the end user even more potential to cause security breaches.

Threat actors actively target end-users as a primary route to compromise. Some criminals may be targeting the end-user directly, for example to conduct financial fraud, others will be leveraging the user to gain access to the organisations IT infrastructure.

>See also: Bugs in the human hardware: can any security investment address the inherent vulnerabilities in people?

It is important to note that threat actors can target end users on their home networks and mobile devices, who will then unwittingly bring the “infection” inside the organisation.

Increasingly these days, the criminals use a technique called spear phishing; an attacker sends a highly targeted email, often with personal contextual details that fools the user into clicking a link and, unknown to them, downloading malware.

Once this has been downloaded, it provides access to the end users device which is used as a launch point to harvest network information and expand control inside the network.

Due to the detrimental ramifications, it is vital that end users have a full understanding of the most common ways for threat actors to target them.

This includes educating employees that they will be targeted, encouraging them to be vigilant at all times, teaching employees what qualifies as sensitive data, how to identify and avoid threats, acceptable use policies and security policies.

It’s also crucial that end users understand their role and responsibilities in maintaining the organisation’s compliance with relevant regulations, such as PCI DSS for payment card data or HIPAA for health records.

In short, educating the work force is critical and is a key requirement of information security standards such as ISO27001.

There are a number of ways that security awareness training can be delivered to end users. The most popular tends to be the e-learning variety, where online courses covering the essentials of security awareness are mandated for all employees.

This would teach the user that they are a target, how to look out for social engineering and phishing, password security, handling of sensitive data, plus any specific compliance-driven requirements.

This is good for compliance and building a basic level of awareness, but it might not engage the user as well as it could.

The most effective way the CIO can deliver practical and memorable education is to make it real and physically demonstrate what can be achieved as a result of an attack.

Taking employees through a real life example of someone clicking an email which looks authentic presents what takes place behind the scenes and makes evident the power the attacker acquires.

This illustrates precisely what a threat entails in an easy to understand and influential manner.

BYOD means users must be aware of the risks and responsible for their own ongoing security, as well as the business.

Employees who manage both their work and private lives on one device access secure business information, as well as personal information such as passwords and pictures.

Ensuring that they know the right procedures for accessing and protecting business information is crucial.

Making it personal and teaching employees how to protect their own data adds value by highlighting how a threat could impact their personal life as well as their employer.

Implementing best practice will then become second nature as people adopt the same practices in both their personal and professional lives.

While giving consideration to security awareness training to the whole organisation, special thought must be given to the education of an even more crucial group – the senior management team.

Most members of most SMTs have very little knowledge or awareness of information security as it’s not their domain and it’s traditionally something that’s delegated.

However news today is filled with companies suffering severe reputational damage, and in some cases ceasing trading, due to information security breaches.

Getting time with the SMT to present a high-level analysis of the risks faced by a business and market, and giving examples of businesses not taking those risks seriously enough, should be high on any CIO or CISOs priority list. It will also help when trying to secure investment to mitigate those risks.

Although end user education will help to prevent the risk of human error, it’s impossible to eliminate it completely.

Protection of assets and detection of malicious activity is just as important, if not more so; the CIO needs to protect end users from their own mistakes.

Processes and technology can be put in place to limit and control what information end users can access within a network as well as the actions they can take.

>See also: 2017 cyber security trends

In order to take control and minimise risks, end users should only have access to the information necessary for them to perform their roles.

As a final point to consider, the security of an organisation relies on detection. Prevention is important but detection is crucial.

The key to tackling threats is determining what normal behaviour is, as an enabler for the identification of anomalous activity.

If an organisation understands their baseline then this makes it a lot easier to spot abnormalities, such as excessive access to information or out of the ordinary access requests.

 

Sourced from Sourced from Chris Yule, principal security consultant, Dell SecureWorks 

Sign up for Information Age Newsletters

Latest news

divider
Releases & Updates
Kennet raises £200m for latest technology growth fund

Kennet raises £200m for latest technology growth fund

2 July 2020 / Kennet V, a high-growth technology fund launched by technology investor Kennet Partners and Edmond de [...]

divider
Releases & Updates
Microsoft to offer digital skills training to 25 million people

Microsoft to offer digital skills training to 25 million people

1 July 2020 / The new global digital skills initiative from Microsoft will be delivered in collaboration with LinkedIn [...]

divider
People Moves
Ivanti appoints Nayaki Nayyar as executive vice president and CPO

Ivanti appoints Nayaki Nayyar as executive vice president and CPO

1 July 2020 / Nayaki Nayyar has joined Ivanti as executive vice president (EVP) and chief product officer (CPO). In [...]

divider
Releases & Updates
Tech London Advocates launches Education Resource Hub

Tech London Advocates launches Education Resource Hub

1 July 2020 / Schools, young people, parents and employers will now be able to make use of the [...]

divider
Recruitment
Information Age Jobs launched to boost tech sector employment

Information Age Jobs launched to boost tech sector employment

1 July 2020 / Information Age Jobs is a new online career marketplace that will help bridge the gap [...]

divider
Technology
Apple, Microsoft and Google ranked most valuable technology brands

Apple, Microsoft and Google ranked most valuable technology brands

30 June 2020 / The rankings, in their 15th iteration and released by Kantar and WPP, covered 14 categories, [...]

divider
Releases & Updates
Avaya Cloud Office launched in the UK alongside RingCentral

Avaya Cloud Office launched in the UK alongside RingCentral

30 June 2020 / UK users of Avaya Cloud Office will be able to maintain conversations through calls, video [...]

divider
People Moves
Melody Ayeli appointed as chairperson of the ITAM Forum

Melody Ayeli appointed as chairperson of the ITAM Forum

30 June 2020 / At its Inaugural General Meeting (IGM), the ITAM Forum, the new professional body for the [...]

divider
Major Contracts
Alibaba Cloud partners with Aryaka to deliver a SD-WAN solution

Alibaba Cloud partners with Aryaka to deliver a SD-WAN solution

30 June 2020 / Aryaka, the cloud-first SD-WAN company, has today announced a partnership with Alibaba Cloud. This will extend [...]

Do NOT follow this link or you will be banned from the site!

Pin It on Pinterest