Most CIOs are on top of their game when it comes to securing networks, encrypting sensitive data and keeping private customer information safe – chances are, you're one of those. But there's a glaring security flaw you may have overlooked: your end-users.
Preparing end-users to think securely
"Sure, you've invested in cutting-edge security software and you've got great IT talent – but you've also got end-users. Marketing, sales, administrative professionals; these are the folks who are woefully unprepared to deal with phishing scams, social engineering schemes and it's the cause of a lot of breaches. It's a major part of the problem," says Anthony Harris, a security expert and subject matter expert (SME) with online education provider Cybrary.
Users can be your weakest link, sure, but they can also be your greatest asset, says Dr. Guy Bunker, Senior Vice President, Products, security solution provider Clearswift.
"Users are both the greatest asset and the weakest link when it comes to security. Users ‘know’ what is really happening in terms of processes and policies that are followed and those that are ignored – they can be a great barometer for gauging the effectiveness of security measures," says Bunker.
"This is particularly true for processes which are not secure, or not as secure as they could be. However, users have to be educated. They need to understand that for instance, with many types of malware there is an application installed – and for that to happen there will be some further interaction requested. So, for example, if they click on a link and the system then asks to install some software – it could well be malware, and so they need to report the incident to IT or follow a well-defined process," Bunker says.
Education is critical
Educating end-users about their role in organizational security best practices is one of the most effective ways to beef up your security strategy, says Cybrary's Harris. He's currently developing the curriculum for a course on that topic that will cover everything from how to identify the most common threats to end-users to developing strong passwords to the risks associated with BYOD and how to prevent common security breaches, Harris says.
"Mainly we're focusing the class framework on the persistent daily threats that end-users face and how to deal with them, as well as incorporating hands-on learning. We want end-users to know what a phishing e-mail looks like, for instance, and how they can check out the legitimacy of these social engineering tactics. End-users should be actively engaged in an organization's security strategy, not just following commands from leadership when they don't understand the rationale behind those best practices," Harris says.
Security communication is a two-way street
That's why effective security education must be a two-way street, says Clearswift's Bunker. Regular communication is needed and information must be shared – especially around targeted attacks, Bunker says. These communications around security don't have to be a big production – in fact, making security conversations part of everyday business can help end-users understand that security is something everyone should be concerned about, he says.
"You can send regular email bulletins or newsletters as well as offering more formal computer-based or instructor-led education and courses. You also should make the advice personal and applicable to their home life, as well, so the information's more likely to stick," Bunker says. Offering examples from published media reports, particularly successful phishing attacks and examples of infected documents, like those often sent to finance departments as a legitimate looking invoice, to help employees recognize potential attacks, he says.
Back up education with solid strategy
Education and training must be backed up by a solid strategy and process for dealing with threats as they are identified or attacks if they occur, says Mike Ricotta, head of New York Development for security solutions provider Blue Fountain Media.
[Related: The data breach quiz: What have we learned? ]
"A proper security strategy is the best way to get started but enforcing and maintaining best practices is ultimately a responsibility of your operations folks," Ricotta says. "Often, your organization’s vulnerabilities won’t require a great deal of talent to maintain, sometimes just caring enough to make sure you’re up to date with latest software upgrades and best practices is the best way to prevent intrusion. With social engineering remaining a leading cause of intrusion, limiting the 'human error factor' can be achieved with internal process, procedures and permissions," he says.
Technology is the last line of defense
Of course, all the education in the world isn't a foolproof solution, says Clearswift's Bunker. There are going to be times when your end-users click on a link they shouldn't, or install malware or activate a virus. It happens; have a plan in place to quickly report, identify and eliminate the problem to ensure your data and information are safe, he says.
"Make sure your end-users know who to call and how to report breaches when they happen – because even with your best efforts, they'll happen. The process doesn’t have to be big or complex – it should be a little like a fire drill, something people know about and do almost automatically because they have been educated often," Bunker says.
Finally, education and process need to be backed up with technology; people may be the first line of defense, but technology is the last, Bunker says. Advanced antivirus, antispam and adaptive data loss prevention solutions should be employed to watch for critical information loss across all channels, email, Web and even through the endpoint.
"It is a combination of education, process and technology based solutions which help organizations minimize their information security risk. Forewarned is forearmed," Bunker says.