Why Isn't User Training a Security Priority?
Only about half of companies offer any kind of security training, a CompTIA survey found.
End users are widely seen as a weak link in the enterprise security chain. More than 80 percent of respondents to a QuinStreet Enterprise survey tapped end users as a top security risk for their organizations. (QuinStreet Enterprise is the owner of this site.)
Craig Williams, security outreach manager for Cisco's Talos Security Intelligence and Research Group, said end users working outside the confines of corporate networks are a key entry point for attackers launching malvertising attacks.
"Attackers notice when machines are not up-to-date. They can find one that is not following security best practices and then embed a link so you have a landing page hosting a drive-by download attack. Then they use human engineering to trick users to look at that page, serve up some malware, and you are compromised," he said in an interview with eSecurity Planet earlier this year.
Despite this, however, recent research by IT trade association CompTIA found that just 54 percent of companies offer any kind of security training, with most doing so during employee onboarding. When CompTIA asked companies it surveyed why they did not offer security training to employees, "the biggest reason was there was no reason," said Seth Robinson, senior director of technology analysis at CompTIA.
Why No Security Training?
For many companies, Robinson said, offering training is simply outside their comfort zone as it is not a core competency. And when they investigate contracting with an outside party for training, "they often don't know what is available, what they should be looking for and what kinds of questions they should ask" of potential providers, he said.
While companies understand that offering security training is a good idea, Robinson said, they are sometimes reluctant to commit resources to it because it can be difficult to measure the results. However, views on training are beginning to shift along with the overall perspective of enterprise security, Robinson believes.
"I think the idea of raising security awareness is tied to the changing nature of security. It is no longer just one facet of IT. It's becoming a critical piece of how you operate in today's digital business environment," he said.
As companies start to think about making security training more of an ongoing activity, they are looking for check points to offer employees information or test their knowledge levels. A common example of this kind of activity, Robinson said, is for a company to simulate phishing attacks to test their employees' response to them.
"They can measure how many click-throughs they get versus the number of employees that report suspicious links to IT," he said. "Then IT can send an alert telling people the results and explaining what should have tipped them off. They can then check again later so they can measure the results and see if there was any improvement."
Companies are becoming increasingly aware of the importance of "making security more integral to their overall business strategy," Robinson added. "As time goes on, they will figure out how to fold it into their ongoing operations and measure the impact of what they are doing."
Security Policy: Where to Start
A significant number of companies also lack a comprehensive security policy, the CompTIA survey found. While 63 percent of large companies (500-plus employees) said they had such a policy in place, that number fell to 50 percent for midsize companies (100-499 employees) and 40 percent for small companies (fewer than 100 employees). Eighteen percent of small companies said they had no plans to create a policy.
A lot of companies, especially smaller ones, "aren't sure where to start," Robinson said. Again, emphasizing policy is a shift for many companies that have relied on defending the perimeter by installing technology.
"Things are moving from a pure technology solution where you purchase a firewall and antivirus and install those things to a more complex situation where you have technology in place but also need to rely more on best practices and end user awareness of things like phishing attacks," Robinson said. "Companies are used to purchasing technology, but now they have to do something different."
The best place to start in establishing a comprehensive security policy, Robinson suggested, is with a discussion of the current state of IT operations and future plans for technology usage – often involving implementations of newer technologies such as cloud and mobile. This exercise should help reveal security priorities. Some companies may decide to work with a third-party provider to help initiate these kinds of conversations, Robinson said.
"It’s important to broadly think through technology usage and then talk about the security implications," he said. "That gets you to somewhere like a risk analysis. You realize you aren't just going to build a secure perimeter with a firewall and put all of your corporate information inside that perimeter. Now you're dealing with mobile devices and cloud, so you need to look at each system and each data set independently and ask 'how much security do we need around this? How critical is it to our operations?' Those discussions can lead to decisions about what to do with your systems."
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.
By Phil Britt
March 31, 2015
While companies spend big bucks on combating advanced malware, users still fall prey to email phishing scams.