Security and Awareness Training: Programs for Success
Justin Feikls
4/25/2023
Security and Awareness Training: Programs for Success
Throughout the context of this paper several important questions will be answered. What is the importance of a well vetted and extensive security and awareness training program? What is the number one infection vector for security related events and incidents? How would security education and awareness reduce this risk? If the author were in charge, what would be included in a security and awareness program? What would success look like? These questions will now be answered through thoughtful discussion.
The question may be asked, what is the importance of a well vetted and extensive security and awareness training program? There are many benefits to a well vetted and extensive security and awareness training program. The first step in assessing cybersecurity risk is to name all assets (Knowles, 2023). The greatest asset to any organization is the people which make up the organization. This is one reason why a well vetted and extensive security awareness training program is important. Cybersecurity training programs can also be one of the best practices for risk mitigation (Knowles, 2023). Another important reason is that training programs are essential for the people of an organization to be successful. Whether it is through weak passwords, phishing emails, or even leaving workstations logged in while unattended, all these actions can increase the risk to an organization. Security training programs can help mitigate these risks caused to an organization.
Another question may be asked, what is the number one infection vector for security related events and incidents? The answer to this question may come in various forms depending on the sources cited. Some security reports have stated that phishing is the most common attack vector (Pham, 2018). While other more recent sources state the top three attack vectors to be compromised credentials, weak credentials, and insider threats, respectively (Tunggal, 2023). It is important to define the terms listed above.
The National Institute of Standards and Technology (NIST) defines phishing as a technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person (National Institute of Standards and Technology, n.d.). Credentials most commonly refer to usernames and passwords that can be used by attackers to gain access to a system or network (Tunggal, 2023). An insider threat is defined by CISA as the potential for an insider to use their authorized access or understanding of an organization to harm that organization (CISA, n.d.). With these terms defined, the importance of a well vetted and extensive security awareness training program can be seen. Phishing, weak credentials, and insider threats are all risks that can be mitigated through security and awareness training programs.
The next question may then be asked, how would security education and awareness reduce this risk? As well as how would security education and awareness reduce this risk? This could be done in many ways. The terms defined above are all the result of actions taken directly by people, not by engineered products. Therefore, the only way to remedy the risks of phishing, weak credentials, and insider threats is through training these people involved. An example of a solution for each of the three risks will now be given.
Phishing is a large threat to organizations with many solutions. Many organizations have now implemented controls for phishing such as putting a banner on top of external emails notifying the recipient that an email came from outside of the organization. This can be affective in deterring phishing but only with proper training. Employees need to be trained that external emails can pose a threat. For example, if an email is received claiming to be from a coworker asking for sensitive information. Although, the banner warns the user that this email came from an external source, then the user should proceed with caution. This is because a coworker should not be emailing the employee form an external account and this could be a form of phishing attempt. The important aspect is that people need to be trained for what to look for in phishing emails. Some organizations will send out fake phishing emails to try and entice employees to click on a malicious link. If employees recognize the suspicious email and report it, then they receive a message stating, “Congratulations! You detected a simulated phishing email!”. Campaigns like this can be part of security awareness training and are beneficial to improving security overall.
Weak credentials are another infection vector for security related events and incidents. There are many scenarios in which weak credentials can be a risk. For example, a user might have their password as a simple phrase with no numbers or special characters. It is easy to see how this could be done because it is much easier to remember a simpler password and people often find the easiest ways to do things especially if they don’t understand the risk. Security education and awareness can reduce this risk by teaching users the importance of using strong credentials. Training could be used to teach users how easily passwords can be cracked by displaying information such as Hive Systems chart on brute forcing a password in 2023. This chart shows a password containing 11 numbers only can be cracked instantly and a password containing eight upper case and lower-case letters can be cracked in 28 seconds (Neskey, 2023). Security training could also educate users of the risks of leaving their passwords on sticky notes on their monitor. This defeats the whole purpose of having a password if anyone in their office could simply look at the sticky note and log into systems.
Insider threats are another large risk to organizations which can be mitigated by using security training and education. Insider threats are such a great risk because of the potential damage an insider could cause to an organization. Some risk of insider threats include espionage, terrorism, unauthorized disclosure of information, corruption, sabotage, workplace violence, and degradation of departmental resources or capabilities (CISA, n.d.). These threats could be mitigated by training individuals in what to look for and how to report it. Employees could be trained to keep doorways secured and not to prop open locked doors, never to hold a secure door open for someone else to enter behind them, or to act when they spot something suspicious. Training individuals to look for anything suspicious, to immediately report anything they see, and who to report it to. All these steps could help mitigate the risks of an insider threat.
The question may then be asked, if the author were in charge, what would be included in a security and awareness program? What would success look like? There are several factors that would make a great security and awareness program. The program would need to be a continual endeavor, not just a yearly half hour video and sign off sheet. Security would need to be brought up through monthly toolbox topics. Through simple information with the goal of simply getting people to think about doing the right thing and giving them the information to know what the right thing is. Toolbox topics could be bolstered by automated phishing training. Where emails would be sent with fictitious McDonald’s coupons or links to a list of people about to be laid off. These emails would come from external senders and would contain simple errors. If the employee reported the suspicious email, then they would receive a small prize. Just enough to get them talking to their coworkers about the experience. Either way, a dialog box would pop up explaining the subtle mistakes they should have noticed, such as a suspicious email address, external sender, or misspelled words. The main metric of success for the program would be engagement of those involved and a steady, year-long focus on security.
Throughout the context of this paper several important questions have been answered. What is the importance of a well vetted and extensive security and awareness training program? What is the number one infection vector for security related events and incidents? How would security education and awareness reduce this risk? If the author were in charge, what would be included in a security and awareness program? What would success look like? These questions have now been answered through thoughtful discussion.
References
CISA. (n.d.). Defining insider threats. Retrieved from Cybersecurity & Infrastructure Security Agency: https://www.cisa.gov/topics/physical-security/insider-threat-mitigation/defining-insider-threats
Knowles, M. (2023, March 1). Cybersecurity risk management: frameworks, plans, & best practices. Retrieved from hyperproof: https://hyperproof.io/resource/cybersecurity-risk-management-process/
National Institute of Standards and Technology. (n.d.). Information technology laboratory: computer security resource center: glossary. Retrieved from NIST: https://csrc.nist.gov/glossary/term/phishing
Neskey, C. (2023, April 18). Are your passwords in the green? Retrieved from Hive Systems: https://www.hivesystems.io/blog/are-your-passwords-in-the-green
Pham, T. T. (2018, March 29). Security report finds phishing, not zero-days, is the top malware infection vector. Retrieved from Duo: https://duo.com/blog/security-report-finds-phishing-not-zero-days-is-the-top-malware-infection-vector
Tunggal, A. T. (2023, April 6). What is an attack vector? 16 common attack vectors in 2023. Retrieved from UpGuard: https://www.upguard.com/blog/attack-vector