Security awareness training: preventing the threat from within

Insider threats are the primary cause of information security breaches in a business, even if the staff member didn’t have malicious intentions. Effective Security Awareness Training is vital if an organisation is to have any chance of protecting itself, because staff need to be educated on the risks behind their actions.

What is the threat?

Although hacking and malware remain a constant problem, social engineering is now also becoming a major threat to business security. Social engineering is psychological manipulation, and the techniques used often exploit ‘bugs’ in human decision making to create a ‘back-door’ entry into a business via its employees.
Social engineering techniques include:
  • Phishing – sending bogus messages, usually emails, to obtain sensitive company information from employees by posing as legitimate organisations or entities. Australia now has the dubious honour of being the world’s most targeted country for phishing attacks.
  • Pretexting – an elaborate lie which contains an element of truth to make the target believe the whole story is legitimate (i.e. using an illegally obtained piece of information such as a date of birth). Pretexters often impersonate police, insurance investigators, or anyone the target might perceive as having authority or a ‘right-to-know’.
  • Vishing – the telephone version of phishing, where an attacker impersonates someone in authority, requesting verification of sensitive information, often citing a security breach as the reason.
  • Quid pro quo – where an attacker calls random numbers within a business, claiming to be calling back from IT or technical support. If the business has a number of departments, the attacker will usually soon find someone who has reported a network problem. They then ‘help’ the person rectify their problem and obtain passwords and other sensitive information in the process.

What is Security Awareness Training? Security Awareness Training is now seen as essential to counter insider threats, not only the threats posed by social engineering, but also simple ignorance of policies and procedures which could then lead to security breaches.

In many industries where customers’ personal and financial information is collected and stored, Security Awareness Training is often mandatory by forming part of an organisation’s risk management strategy and compliance requirements.

Even if an organisation is not required by law to do so, it is in their own best interests to implement such training. Research has shown that the majority of security breaches are caused internally, and only around half of employees are actually aware of their organisation’s security policies and procedures.

Security Awareness Training is training conducted either internally or by an outside company to educate employees on the security threats their organisation faces, and how to recognise and deal with such threats when they arise.

What good Security Awareness Training should involve

The type and scale of Security Awareness Training you undertake will depend on a number of different factors including:
  • The number of employees you have
  • Their existing skill levels and security knowledge
  • The nature and sensitivity of the data you handle
  • Your current policies regarding computer use (i.e. degree of personal use, use of BYOD etc)
  • The legal or industry requirements that apply to your organisation
  • The skill levels and workloads of your IT personnel
  • The budget you have for such training.

One of the first things to consider is whether your training will be delivered in-house or by a specialist organisation from outside, and there are several good reasons why the latter method is preferable.

While an internal team such as your IT department might be more trusted than someone from outside, they may not have the skill levels to effectively deliver such training. And while in-house training might seem more economical, you would also need to factor in the time spent by staff in preparing such training, compared with a one-off fee to an outside provider.

There is also the quality of the training to consider. Effective Security Awareness Training should involve the following:
  • Education on key cyber security terms
  • Practical examples of the most common threats
  • Role playing to learn methods of dealing with such threats
  • Familiarisation with company policies and procedures
  • Awareness of personal responsibility and the potential repercussions of security breaches
  • Demonstrations of how to apply safe security practices to daily work
  • Updates and reinforcement of training through regular sessions.

Security Awareness Training can’t eliminate human vulnerabilities, and there will always be an element of risk to an organisation from its employees. However, effective training delivered by specialists and reinforced on a regular basis can go a long way towards reducing the threat from within.