Cybersecurity awareness is no substitute for actual end user training
October thanks to the U.S. Department of Homeland Security (DHS) has been designated Cybersecurity Awareness Month. Essentially, DHS is trying to get both consumers and businesses alike to pay more attention to security using tactics that have their roots in “Loose Lips Sinks Ships” campaigns that harken all the way back to World War II.
It’s easy for cybersecurity professionals to be a little cynical about such efforts. After all, not only are there more breaches than ever, end users seem to be resistant to acknowledging the true scope of the threat much less changing their behavior. A survey of 650 managers published this week by Shred-IT, a provider of services for protecting and disposing of documents, in collaboration with The Ponemon Institute, for example, finds 54% of managers have been targeted by a phishing email or social engineering scam at work, but only 39% of managers contacted their supervisor.
The same study finds over three in four (77%) managers admit they have accidentally sent an email containing sensitive information to the wrong person and (88%) said they have received an email containing sensitive information from someone within or outside of their organization they were not intended to receive.
More maddening still, a survey of 1,028 information security leaders, as well as 615 business decision-makers conducted by Sapio Research and Forrester Consulting on behalf of Code42, a provider of a data loss prevention (DLP) platform, published this week finds even the most senior leaders of an organization are not immune to carelessness. Over three-quarters (78%) of the cybersecurity leaders and 65% of CEOs surveyed admit to clicking on a link they should not have.
That same survey also finds, not surprisingly, that half the data breaches that companies admitted to experiencing in the previous 18 months have been caused by employees.
Given all the headlines security breaches now generate it’s hard to argue that end users are ignorant of the risks they face. Time and again a combination of laziness and fatigue results in end-users doing something that appears benign only to discover, for example, that every file the organization has is now suddenly encrypted by some cybercriminal halfway around the world demanding thousands of dollars for the keys to decrypt those files.
Almost everybody by now knows somebody who has been targeted by this type of attack so perhaps cybersecurity awareness is no longer the primary issue. Rather, the focus now needs to be squarely on training. After all, if end users are not trained to recognize a phishing attack all the awareness about cybersecurity issues in the world is not likely to make much of a difference. Talking about cybersecurity is not nearly going to generate the same result as putting end-users through a phishing simulation drill that makes it simpler for them to identify potential threats.
Of course, there’s always going to be resistance to any kind of training that involves spending time on drills, so may the best thing about cybersecurity awareness month is it could help reduce that resistance. Whatever the ultimate outcome, the one thing that is clear is there is a world of difference between being made aware of a threat and providing the means to combat it.
