Blog
Addressing the Human Element of Security: Awareness & Training Programs
Did you ever hear the story about the hyphen that cost 80 Million dollars ? In the infancy of the United States’ space program, a programming error resulted in a forced abort of a rocket early in its flight to prevent possible injury along its crash path. Or how about the time a pilot miscalculated the required fuel for a flight from Montreal to Edmonton? These are both fatal examples of how human error can have serious consequences.
In our hyper-connected world, our errors can have damaging consequences. Sometimes, the harm can be minor, such as the “Melissa” macro virus of 1999, in the early days of computer viruses. More recently, however, the damages can have a greater impact, as in 2017 when the majority of National Health Services (NHS) operations suffered disruptions as a result of the global WannaCry ransomware outbreak . The error in that case was a mishandled classified government tool that was leaked to the public.
The best way to combat human error is through training and awareness. However, most folks regard security awareness training as boring, dry or unnecessary. Most people are confident that they could never fall for a scam. Sadly, this is a common refrain among many victims. These misguided mindsets cause one to seriously wonder: what are some of the ways that human error can be mitigated, and who are the folks best to carry the torch of awareness?
Security practitioners understand the problems
A security practitioner is specially trained to understand the attack vectors that scammers use to gain control of a system. Exploits to systems come in many forms and from all available avenues. Scammers will try each one until they succeed. However, no matter how technical the underlying mechanism, most of the attacks rely on compromising the human.
One of the jobs of a security practitioner is to understand and apply technical controls to combat some of these attack vectors. Along with that understanding, the security practitioner knows what methods they can use to best raise the level of security awareness of an organization.
It all begins with an understanding of risk
The security practitioner has an understanding of risk. Whether the formal framework is authored by the National Institute of Standards and Technologies (NIST ), or one of the many other available publications , the security practitioner is an essential part of any risk assessment team. Those not trained in risk management may often derail an assessment by presenting scenarios that are not only irrelevant to a particular business but not grounded in reality. A security practitioner’s attendance in risk assessment meetings can mean the difference between a well-conceived plan and a wasted trip down the path of magical thinking.
Proper access control can mean the difference between a successful and a failed exploit
Who has access to the critical systems? Do all people with access have the appropriate level of access? Has access to the systems been removed from those who left the organization? These are all questions that a security practitioner has the ability to answer, and more importantly, the skills to implement. Careful application of access controls can mitigate the damage of a targeted attack.
Proper security awareness training of the staff also elevates the importance of the concept of access control. Towards this end, a manager will know that it is not only the responsibility of the security team to monitor system access. They will know that everyone has a stake in making sure that the staff has the appropriate level of access to a system.
Sound security operations can minimize an attack surface
Along with the practice of good access control, security operations are an essential element of controlling activity on a network. The problem of “authorization creep”, whereby a person moves from one job function to another, yet retains permissions from their old position, can produce great damage if that person’s account is targeted. Network segmentation, port filtering and mobile device management all form the necessary elements of a defense-in-depth strategy. When staff are trained in security awareness, these protective measures make more sense and are no longer treated as unnecessary inconveniences.
The correct security awareness training for an organization
Security awareness can often be met with groans and resistance from the staff. Just as risk assessment must be tailored to a particular business, the choice of a specific kind of security awareness program can mean the difference between a successful training campaign and a failed one. There are multiple professional security awareness training offerings available to an organization. Some offer traditional quiz-styled engines as well as phishing simulations . More recent innovations include creative approaches, such as security “escape room ” exercises. A security practitioner is uniquely equipped to assess these offerings to decide which works best for an organization. Sometimes, a mixture of home-grown creativity coupled with a professionally curated presentation is the correct formula.
Attitude and engagement matters
In a crisis, it is most important to meet a client at their level of understanding and especially with compassion. A trained security practitioner has the skills that translate to confidence in a crisis. When an event occurs, it is the security practitioner who can explain what happened and assist in taking steps to remediate the problem to bring the business back to normal operations. A seasoned security practitioner understands that the staff are at risk and are not the risk.
The human element is the key
When we think of asset protection, it is most important to think of the most valuable asset to any business: the human element. Protecting the staff is the paramount concern of any successful organization. Protecting the staff goes beyond physical locks and doors. Education is a component of the overall security posture of an organization. When staff are trained in security awareness, the benefits do not stay in the walls of the organization. Most people will remember what they have learned and will carry that into their personal lives. This reflective response increases the training value to the organization. A security practitioner who is the corporate security evangelist enhances the value of the training programs.
To learn more about how to be the corporate security evangelist in your company, read our white paper, How You Can Become a Cybersecurity Hero .
How SSCP Certification helps
There is no better way to showcase your technical skills and security knowledge than achieving the Systems Security Certified Practitioner (SSCP) certification. Whether you are an experienced security professional or just starting out in the fascinating world of cybersecurity, the (ISC)² SSCP certification is the ideal way to enhance your ability to implement, monitor and administer security procedures and controls that ensure the confidentiality, integrity and availability of any organization.