Model behavior: User education in the workplace
Model behavior: User education in the workplace

Informing employees about best practices is still crucial to an enterprise security plan, reports Alan Earls.

Security company Mandiant recently outed the sophisticated hackers it identified as affiliated with the Chinese government, blaming them for the theft of hundreds of terabytes of information from more than 140 organizations over a period of years. Many of these so-called advanced persistent threats (APTs) are based on software that has quietly found a home within unsuspecting enterprises. Fundamentally, such APTs represent a technical quandary. However, training corporate insiders to be more resistant to security threats is also a continuing challenge for organizations of all sizes. 

According to security pros, organizations are and should be concerned about the way APTs and less sophisticated attacks often leverage human vulnerability – particularly a staff's susceptibility to phishing attacks and the gullibility that leads individuals to open malware files or visit malicious sites. And, while an imperfect solution – some, like security veteran Bruce Schneier, argue resources are better spent elsewhere, such as building more secure systems – many still believe there is still no substitute for continued education of end-users to instill awareness and, therefore, make them more resistant to threats.

Insiders have more access to vital assets than an outsider trying to break in, says Sam Erdheim, senior security strategist at AlgoSec, a Boston-based company focused on network security policy management. Education is important, he says, because it can greatly reduce risks related to social engineering, an age-old tactic employed to manipulate people into divulging proprietary information. Erdheim recalls a recent incident when his aunt received an email that purported to be from him. “However, she was able to recognize that something was wrong and actually contacted me to tell me my account had been hacked,” he says.

Beyond social engineering, there are other serious risks involving employees, such as the loss of storage and mobile devices. “Employees who aren't alert to the danger might find a ‘lost' memory device and decide to use it, not realizing that it could contain malware,” Erdheim says.

Although education is important, one-off reminders or burying policies and training in an HR manual isn't very useful, he says. Instead, training needs to be continually enforced. For example, he says, companies have used posters, quizzes and games to get people's attention and convey learning. “No one likes to be lectured to, so it needs to be a little more exciting,” Erdheim says. “Doing it in a way that will grab people's attention helps, as does having a security team that is a little more proactive – putting out alerts about known and emerging threats, for example.”

Erdheim says there is no magic number for how often to conduct training activities – it depends on the organization and its culture. “I think at least once a quarter would be a minimum, and maybe doing it in different ways so each time you communicate, it is fresh, and not just the same old lecture,” he says.

Furthermore, he says, there should be some component that addresses potential malicious activities by insiders, too. Highlighting HR agreements and potential enforcement actions is key. Management also needs to ensure that employees who separate from the company immediately forfeit their credentials and confidential material.

Some experts are consistently amazed at how much organizations are willing to spend on hardening their networks, while spending so little on “the most critical component, the user,” says David Amsler, president and CIO at Foreground Security, a security services, training and solutions company based in Lake Mary, Fla.

“For most companies, security awareness is a check box that is covered by an annual exposure to a PowerPoint presentation,” he says. But, in fact, most users are hungry for more information – especially since they often face many of the same vulnerabilities on their home computers or personal devices. He recommends providing periodic, 30-minute training sessions and also implementing metrics to evaluate how successful the training is. Assessments can be in the form of a game that simulates social engineering attacks and hones user sensitivities to potential threats. “If you repeat those tests over several months, you can get a sense of whether users are actually learning,” Amsler says.