[Author: Pratum, 03.2020 | Keywords: Cyber Security, Information Security, Business Operations]
When most people talk about developing an information security program, they are referring to the administrative, physical or technical controls used to protect information. While no information security program can be effective without them, there is one key element that is often underestimated: the employee.
The reality is that employees are responsible for designing, implementing and following the controls put in place to protect sensitive information. One misstep by an employee can spell disaster in terms of information security and unfortunately, it often does. The good news is that providing effective information security training to users can solve several of these security issues.
Many successful cyber attacks contain a social engineering component. Social engineering is nothing more than a hacker psychologically attacking a human rather than a computer. They use their knowledge of human behavior to con a user into giving them information over the phone, online or in person. If social engineering attacks can be prevented, it will reduce the number of successful cyber attacks.
Targeted Cyber Attacks Against Employees
Traditional information security training doesn’t always cut it. Attacks are becoming more targeted to companies and individuals. They come from groups that have done research into an organization’s people and practices. They have a specific target objective and have been designed for this purpose.
A Small Number of Security Incidents Can Make a Large Impact
A Verizon data breach investigation reports that 23% of users open phishing emails and more than 1 in 10 employees click on links in these emails. This may seem like a small number at first, but the impact adds up. Think of it this way: 1 in 10 users in a company will take a single action that allows a hacker to compromise its security. In a company of 500 people, hackers now have 50+ people who have provided their credentials or opened a machine to compromise, all from simply clicking a link in an email.
Information security training should be more than just a review of regulatory guidelines, company policies and good password selections. It should show users examples of the types of attacks they are facing right now. It should transcend computer use in the office and needs to show how our digital life is connected to both work and personal computer use. Employees are better equipped to combat digital con artists when they know how to spot them. Security awareness training is a cost-effective method for fighting back against the onslaught of attacks against organizations.