Can you protect the data and digital information systems that are the lifeblood of your enterprise without providing the people who use these systems with relevant security training?
This question has been thrown into sharp focus by findings from two separate surveys commissioned this year by ESET. In the first survey, conducted by Harris Interactive in February, we asked employed U.S. adults if they had ever received computer security training of any kind from their employer. Only 32 percent said they had.
In a second study, carried out in August, we had a different survey company ask a different group of people if they had ever taken any classes or training related to protecting their computer and/or personal information. For 68 percent of respondents, the answer was never.
While data security might sound like a technical challenge, there is also a large and important human factor involved. This human factor is particularly important when an organization becomes a target of attack for cyber criminals. The natural focus of investigations into such attacks is the technology they use and abuse, but the actions of users and operators of the systems being attacked are often critical to the success or failure of such attacks.
Consider the finding in Verizon's "2012 Data Breach Investigation Report" that 37 percent of breaches, measured by records breached, were exposed through “social” tactics, more than half of which were classified as classic “social engineering” (other social factors included solicitation/bribery, phishing, and elicitation). The report's authors observed that, “The centuries-old tradecraft of exploiting people in order to further criminal aims is alive and well in the information security field.” Noting the higher percentage of social attacks on bigger companies, the report described social engineering as:
“a strategy designed to circumvent the typically more mature security measures in place at larger organizations. Why spend time searching for a way to exploit the specific technologies and weakness of a single company when every company contains people with the same basic vulnerabilities?”
Surveys are not foolproof, but when two independent studies produce almost identical results, they should be taken seriously. And these results have serious implications indeed, the most immediate being that we must do better. We must teach more people how to defend their digital devices and the personal information they store and access. We need to create a more security-savvy workforce who can help, rather than hinder, the goal of protecting vital business processes, critical digital infrastructure, and valuable intellectual property.
ESET is committed to playing a leading role in increasing the percentage of people who receive security awareness training, making them the majority, not the minority. That's why many ESET products now include basic security training. It is also why ESET is a keen supporter of Securing Our eCity, which is setting the standard for community-wide security awareness.
Sadly, the results of our research are not news to criminals and other bad actors who are intent on abusing information technology for their own ends. They already know that employees are often the weakest link in an organization's information security.
That's why we are seeing more social engineering attacks that trick victims at high-value targets into opening backdoors into systems that have strong technical defenses, like firewalls and two-factor authentication. As long as high-tech security measures can be beaten by low-tech attacks that exploit our human weaknesses — such as inadequate knowledge and understanding — our data and systems will remain at risk of serious compromise.