Enterprises invest in all the latest security technologies but often neglect an absolute fundamental component of information security – end users. Organizations can employ the best technology practices of next generation firewalls, anti-malware and intrusion prevention system. Corporations these days understand security should be ‘baked in’ during the software design phase, they train their application development staff in secure coding, they even rigorously pentest (penetration testing) to assure they haven’t overlooked anything a cybercriminal might easily exploit. Beyond this are countless technology, people and process investments which often exclude end user training. Despite these many prudent technology investments they ignore a key weak-point — a staff lacking the understanding of information security basics. Herein we’ll explore why your employees are your weakest link in securing your organization and how you can address it.
Most end user (through no fault of their own) are not information security experts. Fact is, we can’t blame them but we can do our best to arm them with knowledge. The end user need to have a clear understanding of information security in terms they can easily understand. When they possess this knowledge they are less likely to click on that Phishing link, install ransomware or open that malicious file attachment. Just as worrisome is the fact that most employees don’t know how to spot social engineering or physical security threats they face daily. When users understand security fundamentals we arm them to better defend our organization by behaving in a way that improves our security posture.
Security Awareness Training
To be absolutely clear, end users are not at fault in this equation. Rather it is the responsibility of IT, business leadership to spearhead these efforts. End user training turns our once vulnerable user-base into our greatest security asset. This small investment in end user training pays huge dividends when you find your staff is no longer a major source of your security incidents. Information security training is as worthwhile an investment as any technologies in your defense in depth strategy.
Ongoing Security Training
Security awareness training, like almost any knowledge-base isn’t a one time thing. Instead information security awareness training should be an ongoing process to keep your staff abreast of the evolving threat landscape. At the very minimum it should be an annual process with consistent processes that keep employees aware of threats as they appear. Is your organization doing this now? If not, why not? As always please do leave a comment below or drop us a message.