Empower Employees to Take Ownership of IT Security

Next-generation firewalls, anti-virus software and endpoint data encryption are all necessary to safeguard valuable and often sensitive information. Yet there is no silver technology bullet. Human errors cause the majority of information security breaches—I’ve seen stats that attribute more than half of breaches to human elements. And it takes human beings—“an army of foot soldiers,” to quote my colleague John McClurg—to defend an organization’s information assets.

The key to building that army is security awareness and training. A trained and educated workforce is an organization’s best defense against increasingly sophisticated and persistent cybercriminals.  And as headlines continue to highlight breaches and the need for a strong security program, it couldn’t be a better time to observe National Cyber Security Awareness Month. Now is the time for people to take greater responsibility for the security of the information they work with every day. 

Organizations with a security awareness program are 50 percent less likely to have staff-related security breaches than those without awareness training, according to one study. And though it’s virtually impossible to eliminate risk altogether, few measures, if any, are dollar-for-dollar as effective in reducing risk as security awareness training.

See Something, Say Something

Raising people’s awareness and instilling a sense of shared responsibility for protecting vital information assets is critical to securing them against the two most common threats: malicious insiders and external cybercriminals.

Insider threats are hard to discover with technology alone. Research at Carnegie Mellon University’s Computer Emergency Response Teams has repeatedly confirmed that most insider threats are first detected by other users who note something suspicious and report it. The cyber equivalent of ‘see something, say something.’ Users need training and awareness to know what to look out for and report it. And they must take responsibility for doing so.

Yet more rapidly evolving threats come from outside the organization, where the energy and effort that cybercriminals are expending to compromise sensitive data are rising exponentially. The social engineering used to prey on our gullibility and emotions grows more sophisticated and elaborate by the day. I recently got an email from the nurse at my child’s school alerting me to an accident on the playground and offering a link to the incident report. The email appeared to come from the school, contained my child’s name, as well as the correct name of the school nurse, yet it was a classic spear phishing attempt that I avoided only because I was aware of school policy against sharing such information via email.

Taking a Moment of Pause

An effective security awareness program teaches users to take what I call, ‘a moment of pause.’ Before reacting to any email containing links, users should inspect the message for suspicious indicators. This instinct to stop and examine email messages (or phone calls from people you don’t know) is the best defense against social engineering. It needs to become muscle memory for every user—not just a few cyber heroes—because threat actors are good at finding the people who are the most gullible and going after them.

Among the other key features of a successful security awareness and training program are:

  • Assessing the baseline level of security awareness within the organization to identify the gaps and develop a plan to address them.
  • Testing should be on-going to reinforce training and create a culture of security across the entire workforce. Testing first, then training, then testing again can demonstrate improvement that acts as a positive motivator. Phishing tournaments and other forms of testing can be powerful teaching tools as employees see first-hand what social engineering tricks have fooled them.
  • Response training gives first responders the skills and knowledge needed to effectively counter attacks. Understanding how to analyze spear phishing emails or phone calls to raise situational awareness, or how best to deal with a compromised machine is critical. (Hint: A common first impulse, rebooting the machine, is destroying valuable evidence; instead, disconnect it from the network to cut an intruder’s access.)
  • Threat detection is vital, since reducing risk to zero is impractical and some human error is inevitable. Detecting a compromise quickly is key to mitigating damage and maintaining business continuity. We’ve never encountered an enterprise with 100 percent awareness and zero percent risk. Ultimately, someone is going to get phished; so our answer is Advanced Endpoint Threat Detection (AETD), a 24×7 managed security service that can detect the compromise of the machine and reduce time it takes to respond, which minimizes the impact of that compromise.

AETD is part of Dell SecureWorks’ comprehensive suite of services that help organizations teach their employees secure behavior and how to reduce risk. They help employees understand that each individual is responsible for protecting an organization’s information assets and help build a culture of security.

Explore Dell’s approach to the human side of IT security at Dell.com/BetterSecurity4All and share your stories about IT security at #BetterSecurity4All on Twitter. Join us at Dell World 2014, Nov. 4 – 6, in Austin, to find out more about how to defend against wide-ranging threats—including spear phishing and social engineering—and how to enable business with more connected IT security.

About the Author: Jon Ramsey