Feb 25, 2019
No matter how secure your software, or how comprehensive your security policy, your organisation is put at risk each and every day. The culprit? Your employees: the people who use your software and implement your security policy.
To help reduce the human risk to security, I'm looking at 6 crucial components of an effective end user security training program.
1) Phishing Awareness
Phishing attacks harness the power of social engineering to trick end users into relinquishing sensitive information and login credentials. Whilst many phishing attacks rely on brute force (sending thousands of emails in the response of one or two responses), hackers are increasingly using 'spear phishing' attacks - faking personalised communication from trusted sources, in order to gain access to secure services and data. Spear phishing attacks are much harder to identify and avoid, so it's essential to raise awareness of the common characteristics and sources of phishing, including:
- Messaging apps
- Social media
- Web browsers
2) Password Security
Passwords are the first layer of defense in many security systems, but unfortunately, they aren't infallible. Without the help of a password management system, it's left to the end user to choose a secure password and commit it to memory. As Adobe's famous data breach can testify to, this is easier said than done - with 5.96 million of their leaked login credentials appearing in a list of the top 100 most commonly used passwords. It's important to educate your users about the best practices of password security, and implement mandated measures to ensure that secure practices are always followed.
3) Shadow IT
Despite an organisation's best efforts, it's commonplace for the end users of an IT network to take it upon themselves to install and use unapproved software applications. This practice is known as Shadow IT, and with the growth of the Bring Your Own Device trend and cloud-based applications, it's easier than ever for employees to download and use insecure software.
The growing shift towards Bring Your Own Device working pose a unique set of risks. In order to protect your sensitive information, whether it's stored locally on a desktop PC, remotely in a cloud storage account, or accessed on a tablet or smartphone, it's important to educate end users about the best practices of secure remote working. This includes implementing a BYOD policy, preventing local storage of secure corporate data on personal devices, and protecting data-in-motion with some form of encryption.
5) WiFi Security
Whether employees work from home, the office, or even a local coffee shop, it's important for end users to understand the risks associated with wireless networks, particularly "evil twin" and "war driver" attacks. "Evil twin" attacks create fake WiFi networks with the same name and credentials as legitimate wireless networks. When an end-user connects to the fake network, the attacker can capture sensitive information and login credentials. "War driver" attacks compromise non-secure wireless networks, and intercept any information being exchanged in the network. This can be problematic when end users connect to your organisation's non-secure wireless networks (like a Guest WiFi account) instead of a password protected network, and use them to access and transfer sensitive information.
6) PCI Compliance
End users play a crucial role in ensuring compliance with essential regulations and legislation. Compliance with Digital Security Standards is required of all organisations that process debit and credit card information; and with each job function and role in your organisation engaging with payment information in a different way, it's essential for every end user to understand the principles of PCI DSS.