Many of today’s targeted attacks, advanced persistent threats and other devastating intrusions exploit the weakest link in the enterprise network—users. Amazingly, these users are often very sophisticated in terms of security, yet they often fall for simple tricks such as attachments in generic looking emails or phone calls asking them to divulge their login information. Others store confidential files at insecure file sharing services for use on the road or email them using personal, less protected email services.
Many think that the best answer to social engineering exploits and carelessness is effective employee security education. But interestingly, a growing number are saying don’t bother, as experiments have proven again and again that no matter how much you educate your employees, even the most educated and knowledgeable among them will continue to do stupid things, and it doesn’t take too many stupid things to get attacked successfully.
The answer most likely lies in the middle. Organizations would be irresponsible if they didn’t educate employees effectively about security policies, best practices, and their responsibilities. But as with any layer in a multilayered security strategy, assume education won’t work and take other measures to protect your network when the next employee does that stupid thing.
Employee security education should be:
Frequent: Employees should receive training more than once when they join the company or once a year.
Relevant: Employees need to be aware of the real-world risks of data theft, malware, and other threats, not just generically but to your particular organization if they don’t follow prudent practices. It’s also helpful to relate company security to the security of employees’ personal devices to keep them interested.
Role-based: Not everyone needs the same type of training. It’s best to have core security training for your entire company and then separate modules targeted to users’ data access and job responsibilities.
Up-to-Date: Education strategies and content should be continually updated to reflect current threats and trends, which change and evolve rapidly.
Interactive: Lectures aren’t going to make it. Employees need a forum to ask questions and exercises, discussions, games, and competitions to digest information adequately.
Multi-faceted: Posters, blog posts, newsletters, screen savers, competitions, attack simulations, and other methods can bring constant reminders to users who may forget to be vigilant without an occasional nudge.
Enforced: Employees must know that there will be consequences for falling for social engineering techniques they have been trained to avoid or engaging in activities that put the company at risk.
Once you assume that education won’t work, you then have to guard your network against the damage that can result from employee carelessness or bad intentions. These include:
- Network segmentation, to ensure attacks cannot spread widely across the network
- Carefully crafted, tested, up-to-date incident response plans delineating clear measures, roles, and responsibilities in case of attack
- Careful role-based control of access to sensitive information so nobody who doesn’t absolutely need access and has the authority can do so
- Isolation and multilayered protection of sensitive data
- Behavior-based threat detection and prevention solutions to address zero-day attacks and advanced persistent threats
- Regular robust security audits and testing of the network perimeter and sensitive servers and databases
- Data loss prevention solutions to help prevent sensitive data from leaving the premises in emails, social media, and other communications
- Threat intelligence services to get early warnings on the latest threats and their origins
This is just the most common subset of measures to protect your organization’s sensitive information. Your measures may vary. What is important to remember is not to depend too much on employee education. There’s one in every bunch.