Rethinking your approach to security training

Sep 09, 2015


IT, security



A quick glance at the headlines makes it perfectly clear why IT security training is necessary for everyone. Even though it is the very large events—from Target to the government’s Office of Personnel Management and IRS—that are featured on the nightly news, every company at some time will have to deal with a data breach.

The inside threat

A Ponemon Institute study found that nearly half of all companies (43 percent) experienced a data breach in 2014, and that number only promises to rise. Insiders—company employees, consultants, or anyone with access to the network and data—are a major reason behind all of the breaches. As a Security Intelligence article stated, “According to the ‘IBM 2015 Cyber Security Intelligence Index,’ over half of data breaches are caused by insiders, including employees, third-party contractors and partners—basically anyone who can access your organizational assets. Insider threats are a clear and present danger in today’s open enterprise.”

It’s easy to see why insiders are responsible for so many breaches. According to an Information Age article, “The SANS Institute reports that a whopping 95% of all attacks on enterprise networks gained entry through a spear phishing attack. A spear phishing attack is an email targeted at specific individuals that are engineered to look legitimate and fool even tech-savvy users.”

The way that employees can best learn how to recognize spear phishing campaigns, as well as avoid other security traps like clicking on bad links or using easy-to-guess passwords for every authentication point, is through security training. However, security training has its downside.

The PowerPoint problem

At a time when the bad guys are developing attacks specifically designed to target a particular company and/or individual, security training tends to be a one-size-fits-all endeavor. The same techniques that are used for a business that handles sensitive government data are often also used to train the employees at the mom-and-pop advertising company in a small town.

“The most common method of security training today is an outdated PowerPoint deck with high level information about security,” explained cybersecurity expert Max Aulakh. “This is efficient in getting all people in the company compliant with training requirements; however, this approach rarely provides any true benefit to the organizations. It doesn’t provide any mechanism for knowing if there has been any long term knowledge retention.”

It also doesn’t reveal if the security training is doing any good. Employees themselves have different levels of computer expertise, and those who aren’t as proficient are more likely to unintentionally cause a cybersecurity breakdown.

The millennial problem

And then there is the problem of those who were raised with the Internet, the millennials who were playing online games as toddlers and shrug off concerns about digital privacy.

In a CIO Insight article, millennials are referred to as digital natives; security training for this group of adults is often an afterthought. Many think they already know everything they need to know about security and don’t take it seriously enough.

At the other end of the spectrum are what the article calls digital immigrants, those who adopted technology at an older age and in different environments. These are the users who tend to be more aware about security issues and worry about privacy issues.

These digital natives and digital immigrants also learn differently. Older employees may be more methodical and visual, while younger employees want to be hands-on and conduct training in smaller intervals. If the training doesn’t fit their style of learning, is it actually doing any good?

How to get the best results

Individual industries and careers have their own security concerns to consider. For example: a software engineer needs to know exactly how to prevent a SQL injection to prevent healthcare data leakage versus just knowing that healthcare data is considered sensitive in accordance with HIPAA regulations, Aulakh pointed out. The knowledge and training provided needs to be actionable by the user. “The training should be relevant, social and interactive in a sense that knowledge nuggets can be shared and they are relevant to the audience,” he said.

That’s why there needs to be a hybrid approach in a sense that it needs to be both automated and manual training sessions. “Human resources should have a generic training and then when an individual is working within their respective job, there needs to be job specific security training,” Aulakh said. “Job specific security training is difficult to automate due to changing nature of information security. So the focus should be consistent informal training such as coaching, as well as formal training.”

The best results in security training are seen when IT leaders and security professionals understand that there the one-size-fits-all method aren’t working anymore and incorporate a more individualized education program that addresses what employees actually know versus what they think they know, focuses on more appropriate learning styles, and covers the most necessary information for their particular job duties.

Post by Sue Poremba

Sue Poremba is a security and technology writer based in central Pennsylvania.