Many companies neglect to teach their teams about security awareness and end up paying for it when employees make mistakes or bad decisions that compromise corporate security. Fortunately, you don’t have to become a statistic. Here’s how to train your workers to help them recognize security risks and prevent corporate data from being breached.
Why It’s Important
Some of the worst security problems faced by companies often actually originate from employee behaviour, such as when they do things like setting lame passwords that can be easily cracked by security penetration (pen) testers or clicking on links in unsolicited emails from untrusted parties.
Certain companies that perform pen testing frequently and consistently find that simple security holes like this exist at many organizations. Even well-educated security experts can sometimes mess up when it comes to basic security practices. However, by instilling good habits in your employees, you can reduce the risk of your network being compromised, and your sensitive data being stolen.
Sometimes security is also a matter of following local or national laws or regulations. For example, if you work in the healthcare or financial services industries, you are required to take special precautions to safeguard your clients’ and customers’ data - especially their personal health and financial data.
Maintaining a secure environment is not an option, in these cases. It’s the law. Special servers, encryption protocols, and applications must be implemented and periodically tested. Employees must also have mandatory training on how to interact with, manage and maintain these security measures.
Make Security Fun and Memorable
Think back to the last security training class you had. How did it go? You can’t remember it? That’s probably because you were asleep. However, it may not be you; it might be the class. Let’s face it: long, comprehensive training classes can get very boring.
They will fatigue the average individual and cause them to “zone out,” causing them to miss half of the information (at least.) It’s way too easy to overload someone with too much information, especially when that information is new or newish to them.
The solution? Keep classes short and present information in bite-sized bits.
Most people can only retain a small amount of information when it’s being thrown at them. However, you can try adopting the Pomodoro method - only give your employees an hour at most to study and learn new information. Then, let them take a break. Then, throw some more information at them. Ideally, if you want to stick to a strict Pomodoro method, you should limit training sessions to just 25 minutes each; with a 5 minute break between sessions.
You could also make it a sort of game. Gamifying security training increases the odds that employees will remember specific security lessons, and the “fun” factor will also increase the odds that they will actually use those lessons in the office.
Pen testing is often done when you update your website, create or add an application, update an application, or make any material changes to your network or server. It consists of allowing security or pen testers to undertake mock attacks against your network to proactively identify vulnerabilities. These testers should get full permission from you before attacking your network.
Once they do have your permission, they will utilize every tactic they can think of to try to bring down your system. This includes both external and internal attacks. Pen testers will use special hardware and software to initiate attacks externally.
They will also use psychological “warfare,” or social engineering tactics, to try to gain access to your systems. Social engineering focuses on exploiting the psychological weaknesses of your staff. For example, one psychological tendency many people have is to be nice and helpful to strangers. While this is usually a good thing, in the context of security, it can be very bad.
For example, a pen tester may approach an employee, and ask him or her to hold the door while he carries in two or more cups of coffee, books, or maybe a cart full of documents or books. A pen tester might also pose as IT personnel or low-level staff to gain access to a facility’s systems. Once inside, the tester can now take steps to compromise the system because they have bypassed external security measures.
Cultivating a Culture of Security
So what’s needed? Your staff shouldn’t live in a state of permanent paranoia, but you should work to cultivate a culture of safety and security. This means training them to set and maintain difficult-to-break passwords, practice good security habits like not opening attachments from unknown emails, and resisting psychological attacks by not allowing unauthorized personnel into secured areas.
At the end of the day, your organisation’s first line of defence is your employees. By cultivating a culture of security from within through appropriate training practices, you will be building up your employees’ ability to recognize and defend the company from both internal and external attacks. You’ll also reduce your own liability, and enhance compliance with local and national laws and regulations.
About the Author
David Wray is a certified TigerScheme SST, with twenty years of experience in technical internet security. Beginning his career with the Peapod Group as a Firewall Engineer, David went on to found Sec-Tec Ltd in 2000, which specialises in penetration testing and technical assessment services.