2014 was quite a year for hackers—Sony, Target, and Home Depot were breached and caused all kinds of havoc. As a result, security teams in both the public and private sectors are fighting hard to keep their networks safe.
Avoiding compromise from external forces is extremely important. However, agencies must also be mindful of employee behaviors that can cause data leaks from the inside. End-user error is often cited as the culprit for security problems. The answer to this particular vulnerability, therefore, is education.
According to InformationWeek’s 2014 Strategic Security Survey, “end user security awareness training” was ranked as the second most valuable security practice. Dark Reading’s recent article on the topic cements this fact and gives the following tips on how to make this training more effective:
Security professionals generally recognize the importance of security awareness training as part of an overall information security plan. Users need to know they have a role in securing the organization’s data.
But then there are high-profile security experts who disagree and feel that training is mostly a waste of time. Users are not information security experts and should not be expected to keep ahead of potential threats. These experts believe the focus on awareness training takes attention away from bigger industry issues such as failures in software design and lack of technical controls.
For most enterprises, it’s not a decision between training and no training. In many industries, regulatory compliance mandates some form of security awareness training for employees. Rather, the question is, how much training is enough? The list of companies suffering data breaches is growing steadily, and many of them made significant investments in training, raising questions about its effectiveness.
“It’s weird that we are saying, ‘Don’t click,’ to users,” says Dave Aitel, CEO of Immunity, a security software company. Users should be allowed to do whatever they need to do for their jobs, and it’s IT’s job to create an environment with technical controls in place to protect them, he says.
The counterpoint is that users aren’t stupid and should share some responsibility in keeping their companies’ secure, says Jennifer Minella, VP of engineering with Carolina Advanced Digital. All employees, regardless of role or position, are expected to represent the company’s strategic goals and behave accordingly at work, at home, and on social media.
“Security is not siloed anymore, and everyone needs to work together on common business goals,” Minella says.
For more information on security awareness training, see the full Dark Reading article.
APPLICATION DEVELOPMENT: Blue Mountain Data Systems is dedicated to Application Development and Systems Integration for Federal Civilian Agencies, Document Management Systems that help in the preparation, scanning, indexing, categorizing and quality control of millions of pages of paper documents to electronic format and the Automation of Workflow Processes. Call us at 703-502-3416.