You Really Can’t Do Enough Security Training

When it comes to security training in the era of near-daily phishing and ransomware attacks, can your company ever be over-prepared?

Solution spending grows, but investment in people must as well.

Organizations spend a huge amount on security these days. Some large banks, for example, are now allocating as much as a billion dollars annually on cybersecurity – and two thirds of finance executives expect cybersecurity budgets to keep rising. The economics behind it are simple. Cybercrime is costs more than $3 trillion a year and that amount is expected to double in 2021. But much of this money goes on technology and implementation. 

Not nearly enough is directed toward the people and process side. Security training in particular is an area in need of improvement according to a new report by Computer Economics on Security Training Adoption and Best Practices 2021.

Security training certainly needs to improve how it accomplishes the in-depth and continuing training of IT personnel. It isn’t enough to train and update IT security staff. All of IT, and very definitely including developers, must become well-versed in security threats and technologies. 

But perhaps the biggest weakness is how organizations address the issue of ensuring that all personnel become well-trained in security. In an era of phishing and ransomware, you really can’t do enough security training of general personnel. 

Policy education alone is not enough.

In some companies, the security training given to staff only goes as far as insisting all users sign off on reading organizational security policies and procedures. But how much of it are they likely to retain? It is one thing to devise robust security policies and another thing to have them applied. Policy is of little value if IT personnel and users violate them or fail to be diligent in their application.

The Computer Economics report emphasizes that sound security policies must be supported by formal and consistent training of staff. They must become knowledgeable on the various threats they face, how to respond, and how to avoid being fooled by the latest phishing or social engineering ruse. They must understand that short cuts that circumvent security policies invite danger. 

Recent ransomware scares have emphasized the need for heightened security. But Computer Economics surveys reveal that too few organizations consistently and formally conduct security training. What this means, in effect, is that many organizations may have implemented some form of security training. But it is often doing it in a haphazard or hit-and-miss fashion. The report calls for organizations to evaluate existing training programs to determine where they can be improved. By raising the quality and comprehensiveness of security training initiatives, the number of breaches and attacks can be decreased.

Security training strengthens the human firewall.

Security training can help establish what might be considered a human firewall i.e. every employee is sufficiently clued in that they are actively on the alert for attacks, know when they face suspicious traffic, and apply peer pressure to knock out any sloppy security behavior they see around them. They realize that one inattentive person is all it takes to open the door to online predators. 

The face that the Computer Economics survey found that 86% of companies performing security training in 2020 stands in sharp counterpoint to the alarming rise in the number of security breaches of late. It takes more than technology to thwart cybercriminals and it is this human factor that must be addressed more forcefully via training. 

It isn’t hard to train personnel into a greater awareness of the threats they face. Read them in on the various forms of phishing and the other insidious practices employed by cybercriminals. And keep reading them in until IT no longer has to put out phishing fires on a regular basis. Companies such as Living Security and KnowBe4 offer programs that can set organizations on the road to heightened security via the building of a human firewall.

Next-generation firewalls not withstanding, the weakest point in your security infrastructure is invariably going to be your people. While your company may conduct a fire drill every year, a data breach is a much more likely scenario than a four-alarm blaze. Which is why frequent security training needs to be a frequent enterprise-wide undertaking.

 

 

Drew Robb
Drew Robb
Drew Robb has been writing about IT and engineering for more than 25 years. Originally from Scotland, he now lives in Florida.

Latest Articles