We can put guard rails around users, and many of the security layers we’ll cover here do, but people have to be educated on how to avoid social engineering attempts, suspicious websites, rogue wifi, etc.
The primary defense at the human layer is education and testing.
Even though social engineering continues to be one of biggest threats, most employees are lucky if they get 15-30 minutes of security training per year. And it probably bores them to tears.
The goal of a social engineering attack is to trick employees into doing something that will compromise their personal or employer’s security. People are conditioned to be trusting and helpful, so it’s going to take more than 15 minutes per year to change someone’s core behaviors.
Effective security awareness programs are:
- Ongoing and integrated into employees’ normal work routines
- Include behavior testing like mock phishing attacks and other simulations that force people to practice their skills
Jordan Schroeder, author of a very good book on the subject, Advanced Persistent Training: Take Your Security Awareness Programme to the Next Level, says:
I liken the problem to trying to get your entire workforce to lose 5 pounds. Once you start to think like that, you start to see that the problem is not “what’s the best video to show?” but rather, “how to help each person every day?”
Ransomware is quickly becoming one of the biggest threats. Most ransomware is delivered via phishing attacks or malicious websites that require a human to do something we as IT pros don’t want them to.
We’ve used this free ransomware course to educate employees about what ransomware is, the damage it can do, and how it gets on their computers. Feel free to incorporate the course into your own security awareness program.
Still not convinced you should invest in the human layer? Take 3 minutes and watch this: