Fortinet on Tuesday announced the availability of its Security Awareness and Training service geared to help companies strengthen the organization's security posture by advancing the cybersecurity skills and knowledge of their employees.
A Fortinet survey recently found that 73% of organizations had at least one intrusion or breach that can be partially attributed to a gap in cybersecurity skills.
The company’s new service has been designed by the Fortinet Training Institute to align with NIST 800-50 and 800-16 guidelines on information security, data privacy, physical security, password protection, and internet security.
“At Fortinet we believe that all organizations should deploy awareness programs for all employees or users to truly protect their most important digital assets and as part of their security strategy,“ said David Lorti, Fortinet’s director of product marketing in a blog post. “These programs must be designed in a programmatic way to prove effective in changing employee behavior whereby employees are more cyber aware and able to spot malicious threats and other risks for their organization.”
Employees often break security policies and controls, not because they are attempting to be malicious, rather because they are trying to get their job done efficiently, said Sounil Yu, chief information security officer at JupiterOne. Yu said companies want their employees to be ingenious and creative, so it’s no surprise that employees find ways to evade security controls.
“It’s imperative that employees share those evasion methods with the security team, not so that the security team blocks those methods outright, but so that the security team can work to find or build safer, paved paths that let employees be even more productive,” Yu said. “Most security awareness training assumes that everyone operates at the same skill level. This wouldn't be acceptable for most other disciplines, however, this seems to have become the standard for security training.”
Hank Schless, senior manager, security solutions at Lookout, added that the industry need to modernize security training to help employees understand the risks in today’s cloud-first world. Schless said while it’s incredibly convenient and boosts productivity to now access data from any device or location, it also introduces increased risk of data loss.
“Employees are constantly sharing data, and might not even know when they do so in a way that violates internal or external data compliance standards,” Schless said. “Making employees aware of what qualifies as sensitive data, what the risks are of accessing that data from personal devices, and the tactics that attackers use to get their hands on it is a critical first handful of steps to take.”
Joseph Carson, chief security scientist and Advisory CISO at Delinea, said companies must make proper password hygiene a part of all security awareness training. Carson said the average employee still isn’t properly trained in cyber hygiene and best practices.
“This makes them an easy target for a phishing attack,” Carson said. “By ensuring that employees at all levels of the organization are given acceptable security training about how to identify malware-laced emails, and other basic attempts at credential theft, can be a significant step in helping to reduce the success rate of an attack, or at least raise an alert. By normalizing security training within the culture of the workplace, organizations can help maintain vigilance for these practices in the long-term.”