As much money as your enterprise invests in the latest information security solutions, a breach is inevitable if your people are not well-informed about security risks and compliant with security best practices. And with a larger cohort of people working remotely, the risks have multiplied since the start of the pandemic.

Verizon’s 2021 Data Breach Investigations Report (DBIR), a study of breaches among its corporate clients, shows that the human element plays a role in a significant portion of enterprise breaches. Some 36% of breaches involved phishing, up 11 percentage points. This reflects the surge in COVID-19 related phishing scams as the world went into lockdown.

Moreover, ‘error actions’ accounted for 17% of breaches. This relates both to end-user errors such as mass emailing information to the wrong distribution list, as well as systems administrators making mistakes such as configuration errors when setting up information security defences.

Add end-user failings such as using weak or default passwords into the mix, and it’s easy to understand how many (if not most) breaches could be prevented by addressing human error and poor judgement. Here are some best practices around end-user training and information security policy to address the human element in information security.

  1. Create clear and understandable policies 

Most information security experts agree that codifying your information security policy in a policies and procedures document is the starting point for a secure company. The document should be written in plain language and outline the end-user’s roles and responsibilities when it comes to information security. It would include information such as:

  • What users must do in terms of security—for example, use multi-factor authentication; create passwords of 16 characters comprising a mix of letters, numbers and special characters; and connect via secure VPN when working remotely.
  • What users must not do—for example, use unauthorised services and apps; install unsanctioned browser extensions; or give their passwords to someone over the phone or email.
  • What they should look out for—for instance, how to identify a dodgy website or a phishing scam on email.
  • What actions they should take in the event of a suspected breach—who to contact and the processes to follow.
  1. Embrace continuous training 

End-user training is the centrepiece of an effective approach to information security. When new team members join, a rundown of the company’s information security policies and procedures should be a key part of the onboarding process. Existing employees can be kept up to speed via bite-sized digital training programmes—these could include tactics such as gamification and badges to make them more engaging.

Since the information security landscape is constantly evolving, it’s important to keep people up to date with the latest threats and risks. Continuous training will also help to keep security top of mind and prevent complacency from setting in. A regular security bulletin or newsletter is one effective tactic.

  1. Try to make it easy to comply 

The days of IT teams developing information security systems and practices in a vacuum are coming to an end. Forward-thinking IT departments are taking a more user-centric approach, looking for ways to make security as simple for and invisible to the end-user as possible. Security processes that are too cumbersome will hamper productivity and may cause users to opt for shadow IT instead of using authorised company resources.

Writes Tim Wilson of Dark Reading: “Some security policies are developed in a vacuum, without proper research on how individuals operate within the business. If a policy restricts data that users routinely need to do their jobs, you can be sure the letter of the policy will be violated. If the policy can be easily circumvented, you can be sure the spirit of the policy will be violated.”

  1. Explain the ‘why’ 

Despite the best efforts of the IT team, adhering to best practices in security will introduce some friction into the end-user’s work experience. Whether it’s needing to remember multiple long passwords or being forced to use the company’s secure filesharing service rather than the app the user prefers, your security processes will at some point annoy end-users.

Explaining why these processes are necessary can help to get their buy-in. “Many end users don’t take security policies seriously because they’ve never actually seen the impact of a break-in or insider exploit on an employee or a business,” says Wilson. He suggests that companies show users how security procedures prevent breaches as well as the potential impact of a breach on the company.

  1. Put end-users’ knowledge to the test 

Social engineering scams via phishing attacks are arguably the biggest risk a company will face once it has put the right technology in place to protect its perimeter, end-points and data. It’s important to keep end-users on their toes and to check that they know how to recognise a phishing attempt. A blog post from ProServeIT recommends using a built-in feature of Office 365 to help:

“One of the cool features about Office 365 is the ability to send fake phishing emails to your employees/end-users to test whether or not they’d click on a malicious link, or engage in other unsafe behaviour. These emails are a fully-customisable, generated email that fakes a phishing attack and provides reporting on the end-users that failed the test.”

  1. Monitor compliance 

Finally, it’s important to monitor and enforce compliance. Your systems can help here by enabling you to set parameters such as the length of passwords, how often passwords must be changed and whether multifactor authentication should be the default. Other tools allow you to track which websites users are browsing or flag violations such as emailing of sensitive information.

When a user is caught violating policy, the company should take action to show its policies have teeth. For small and accidental violations, a reminder of company policy via a quick chat or email will usually be enough to set the user on the right path. Disciplinary action may be necessary for severe or persistent transgressions.

The enemy within

Human weaknesses—among them, laziness, complacency, ignorance—are the biggest dangers to the integrity of a company’s systems and data. To keep your information secure, it’s not enough to invest in technology. You also need to strengthen the human firewall with information, tools and policies that enable them to protect your business.

References:

https://www.verizon.com/business/en-gb/resources/reports/dbir/

https://www.darkreading.com/vulnerabilities—threats/10-ways-to-get-users-to-follow-security-policy/d/d-id/1128525

https://www.proserveit.com/blog/end-user-education-best-cybersecurity-defense

[Photo by Pixabay on Pexels]