Many security professionals believe that end users are the weakest links when it comes to data security. In many ways, that’s true. In the course of a normal day, employees using company-issued or their own devices will come and go from the corporate network, browse the web and click stuff, and disable protections that make it hard to do their jobs—all while accessing sensitive corporate data. Plus, many are posting information online that makes social engineering and targeted phishing attacks easier than ever.
There’s no easy way to get users to take security threats seriously, but there are processes and technology you can put in place to help them help your organization be more secure.
Education and Awareness
Many organizations have mandatory security training for employees. It might happen as part of a new hire training program or it might be an annual online training event that everyone has to pass. That’s a great start. Here are three suggestions for taking education and awareness to the next level:
- Make sure your security training attendees don’t simply know what your security policies are, but why they are important for your organization.
- Conduct frequent training events. For most people, their day job is what gets their attention. Help them think about security more frequently than once a year.
- Make it fun and real. Don’t just roll out the same boring training videos each year. At a previous employer, we had “Security Weeks” with fun and educational lunch events like “Security Jeopardy” and “Go Phish” where we could learn about security and have fun at the same time.
Help Users Protect Themselves
Education is definitely important, though technology can play an important role too. The key is to understand what technology can help, given the changing nature of the modern IT environment. Today, the traditional strategy of having a perimeter defense simply will no longer suffice. With more and more data passing directly from devices and endpoints to the cloud and bypassing any corporate firewalls, it’s critical to expand your security toolbox beyond firewall solutions.
Solutions that can help users protect themselves (without even knowing it) include solutions that monitor user behavior, those that help with endpoint monitoring, or others that simply check that endpoints and applications are securely configured. Recognize that users need your help to keep your organization secure, and put the appropriate protections in place.