Security Education: Breaking Down the Obstacles

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cutimes.com/2014/08/04/security-education-breaking-down-the-obstacles

Ask a roomful of IT managers and chief information security officers at
credit unions if the users are their biggest information security risk and
almost every arm in the room will go up.

Ask how many have implemented a training program to deal with information
security at their credit union, however, and the number of hands raised
will likely dwindle. Then ask how many have training programs in place
where they can benchmark their results. Unfortunately, the number of hands
raised usually plummets.

So, if they agree that information security is one of their biggest risks,
why aren't CISOs and IT managers doing more about security training?

Before answering that question, let's take a look at why they should care.
Phishing—targeted email attacks designed to steal personal and corporate
data as well as financial account credentials—are on the rise. According to
the latest numbers from the Anti-Phishing Working Group, there were 125,215
attacks recorded worldwide in the first quarter of 2014.

The biggest target: Unsuspecting non-management employees, who
inadvertently click on links within emails, and launching phishing attacks
that allow cybercriminals to access user names and passwords, financial
account information, Social Security numbers and more. It's big business:
EMC pegs global losses from phishing attacks at over $5.9 billion in 2013
alone.

But the hard reality of it is that, despite the risks to sensitive data,
there are obstacles—real or perceived—that prevent credit unions from
successfully creating programs that train employees to recognize and avoid
attacks.

Let's look at some of the most common obstacles to companies implementing
security training programs, and discuss the best ways for security and IT
personnel to overcome them.

- Cost. After seeing the $5.9 billion price tag associated with phishing
attacks and understanding how malware attacks can damage business, the
majority of companies should be looking for ways to find the budget
immediately. Training programs do not need to be expensive— they just need
to be effective.
- Red tape. At some credit unions, an employee training program just
involves IT, but in others it might involve several departments.
 Overcoming the red tape can be difficult; however, it’s not insurmountable
with proper planning.
- No time to implement. Time is tight for IT and security departments.
 Alongside their day-to-day activities, IT teams are tasked not only with
preventing attacks but also with handling them if they do occur. Many can't
imagine taking on another task; however, there are many options for
outsourcing management and implementation of a security education program
to minimize internal time spent on it.
- No time to repeat. Training works best when it is reinforced and updated
based on new threats. Making time to train and reinforce proper behavior
can help prevent more significant drains on your time down the road.
- No way to measure. It's often difficult to measure behavior that you're
trying to eliminate. However, if you start with a baseline before beginning
training as well as analyze results after each training session, you can
determine how successful each session is and understand what messages are
sinking in.
- Concerns about privacy. It's the job of human resources and legal
departments to worry about the privacy and legal implications of training
programs. Collaborating with stakeholders to understand their concerns and
refine your plan before starting the program will help you avoid fire
drills mid-program.
- No management buy-in. This is perhaps the most difficult—and the
easiest—problem to solve. It’s difficult because winning management
approval on any expenditure can be a challenge; however, it’s easiest
because the facts support your case: training employees actually helps
thwart attacks that can impact your company.

All of these obstacles point clearly to the need for a plan to win the
approval of necessary departments and management. And, more importantly,
all of these obstacles can be overcome.

It's important to remember that credit union employees who can identify,
report and avoid attacks create another line of defense for your company,
working with you to keep data secure. Needless to say, providing training
that allows them to spot and avoid dangerous situations should be a
priority.

As with any plan, upfront communication is key. Clearly articulating the
problem in terms that hit home with business decision-makers, setting clear
goals and mapping how the business can benefit from cyber-smart employees
will put you on the right course toward winning approval for your security
education plan.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!