Mistakes made by non-technical personnel can have a severe effect on organizational networks. Hackers frequently target them and more advanced attacks often begin with social engineering. Ignoring that weak link leaves a giant gap in an organization's defenses.
Among the risks that can be mitigated with proper training are the failure to patch, clicking on sketchy sites, using public Wi-Fi, opening phishing email attachments and falling for other social engineering tricks, like baiting and pretexting.
Nothing will stop every single attack. Someone will eventually fall victim to an especially well-crafted spear phishing email or a watering hole attack. But there's a big difference between “once in a while” and a recurring problem. If the goal is to protect the network, an ill-informed workforce makes for a substantial attack surface.
"...an ill-informed workforce makes for a substantial attack surface.”
It's not that people don't care about protecting themselves. It's that they don't know how. Effectively communicating the nature of various threats, as well as what to do about them, is essential to mitigating the risk. Whether it's awareness training, preparing for or responding to a security incident, or simply day-to-day communication, getting your message across clearly can only help.
Many non-tech-savvy people perceive security as dull, scary and pretty much incomprehensible. As a result, security professionals can find themselves fighting unnecessary uphill battles to get non-technical executives, employees, customers and potential customers on board with even simple security measures before there's an emergency.
The IT security field is becoming increasingly specialized (and effectively siloed) into narrower realms, like pentesting, mobile app security and zero-day research. As a result, it becomes more and more difficult for non-tech people to understand what's going on without context.
It's essential to know your audience. Keep in mind that many of them don't know what a byte is. They have no idea that memory and storage aren't the same thing. And if the word “honeypot” makes them think of anything, it probably involves Winnie-the-Pooh.
Security can be pretty intimidating to people who aren't familiar with the underlying terminology. Imagine a doctor who keeps talking to you in detailed medical jargon and gets frustrated when you don't understand it. It's uncomfortable for you and you won't learn much that way.
So, what do you do? Simple: tailor your message to their knowledge base. Two ways to accomplish this are analogies to familiar non-technical concepts and relevant pop culture references.
One analogy I like to use is comparing overwriting to a footprint in mud. If a car drives over the footprint, that data is effectively overwritten by the tire tread. Another is explaining the difference between whitelisting and blacklisting as akin to the difference between an invite-only party and a club with a bouncer who throws people out once they've done something wrong.
A pop culture reference can be something like Q's curious decision to plug the villain's laptop into MI-6's network in the recent James Bond film Skyfall as an example of baiting (let's not get started on the plausibility of the subsequent hacking itself). And, the warehouse scene in Beverly Hills Cop is a perfect example of pretexting in action.
Essential IT security concepts really shouldn't be difficult to understand. If you use the listener's own knowledge to help, these ideas won't be difficult for them to absorb.
Scott Aurnou is an attorney, cybersecurity consultant and VP at SOHO Solutions.