Don’t Be the Weakest Link: Training Your Staff
By Genady Vishnevetsky
Earlier this year, the IDC forecasted that security spending will reach $81.7 billion in 2017, an increase of 8.2% from 2016. Enterprises from Fortune 50 to small businesses continue to seek a silver bullet. The economy produces a dozen new security vendors every month who promise to solve all our problems. Yet, according to a 2017 Verizon report, 43% of users are still falling for simple social engineering attacks and 81% of users are still using weak or re-claimed password.
We all are focusing on the wrong things. If we look at the fundamental shift in the security paradigm over the past five years, we can’t ignore the fact that traditional network boundaries are erased, while inherent trust from social media drives many of our decisions. Protection is no longer working, so we shift to detection and response. Each of us carries at least one computer in our pocket that is as powerful as our desktop from five years ago; and it is always on, always connected.
Technology and protection are necessary, but we must shift our focus to what matters most – Dave, the weakest link. Our duty as security practitioners is to focus on continuous user education and awareness, but we must be careful with the approach we take.
When you are creating a security awareness program, consider these things:
- Make it relevant. Make it resonate with your audience. Give real-life examples from work or personal experience to show why your message does or does not make sense.
- Praise and reward. Use positive reinforcement. Take five out of a hundred people who clicked on a phishing email and report “we had ninety-five percent resilience rate”, instead of “we had five percent failure rate”.
- Test, train, and test again. Consistency is important. Use training exercise results to tweak your program.
- Just in time training is the best way to modify behavior. Correct mistakes as soon as users make them.
- Be creative. CBT’s are boring. Engage your audience. If you’re using PowerPoint, make it dynamic. There are many good short videos available on YouTube for free.
Focus on Dave!
Genady Vishnevetsky serves as Chief Information Security Officer (CISO) for Stewart Information Services Corporation, and is an established leader with experience in building successful security programs and developing defense against emerging threats. Genady will speak more in depth about this topic during a session titled, “Don’t Be the Weakest Link: Training Your Staff,” at ALTA ONE in October. Click here to register for ALTA ONE.
Comments
You can follow this conversation by subscribing to the comment feed for this post.