Security training is lacking: Here are tips on how to do it better
Humans are the weakest link in the enterprise security chain. But a survey finds that more than half aren’t getting any security awareness training at all. The good news is that there is plenty of advice on how to do it, and do it better.
It is now common knowledge across the information security industry that human weaknesses, not technological flaws, are what put enterprises most at risk from cyber attacks.
But, it is apparently not common enough throughout the enterprise sector. A recent report by Enterprise Management Associates (EMA) found that 56% of workers may not receive any security awareness training (SAT) at all.
The report, titled “Security Awareness Training: It’s Not Just for Compliance,” is based on a survey of 600 people working for companies ranging from fewer than 100 employees to more than 10,000.
Any doubts about the need for SAT should have been dispelled by last year’s Verizon Data Breach Investigations Report (DBIR), which found that four out of five breaches were caused by stolen credentials – usually the result of social engineering attacks or weak passwords. And there is abundant evidence that social engineering attacks have become much more sophisticated, and therefore successful.
Jeffrey Bernstein, executive vice president of Critical Defence, whose firm does post-breach forensic investigations, said he knows first-hand that, “more often than not a human mistake is the root cause of most successful breaches that we investigate.”
He said in the social engineering element of penetration tests done by his firm, 75% of the time, “we tricked end-users into doing something they should not have done, like click a malicious link, enter a user name and password, open a malicious attachment, etc.”