5 Reasons Why Your Security Awareness Program Just Isn't Up To Scratch
10 August 2017 09:22
There's now more focus on security awareness training than there's ever been -- yet users are still unfamiliar with most of the security risks facing them every day. We take a look at 5 reasons why businesses are STILL failing in their fight for a security-minded culture.
#1 Creating too many scare tactics
Remember the days when watching a horror film meant cowering under your duvet for the rest of the night, too scared to take a peek outside? (...or maybe this still applies). Well, in the IT world, many end-user security awareness videos seem to be following in the same footsteps.
Fear is now becoming the main attempt at many awareness efforts. Supposedly, implementing scare tactics that might make a user stop and think, is a good way of promoting procedures and guidelines. That's a big mistake.
Of course, mollycoddling around the issue of cyber security is never going to work either. But simply giving out warnings to users on the long list of damaging effects their actions could have, can cause as many issues as it could solve. Checking emails is a prime example of a critical business function that can be hindered through constant security-induced fear. People shouldn't be"afraid" to go into their inbox in case of clicking a phishing email -- they should be confident in knowing they can spot the warning signs of fraudulent mail.
#2 Over-relying on phishing emails
Simulating a phishing attack can be a great way of cutting down the potential risk of a user being compromised by a phishing attack. But apart from reducing the level of susceptibility towards malicious emails, what else do they offer?
Now let's be clear -- simulated phishing is a great way of putting training into practice and, in this day in age, should be part of most modern business's chain of armour. But where's the love shown for password security? What about safe web and social media browsing? Not to mention the forgotten importance of physical security.
The fact is, simulated phishing campaigns are just the start of an effective awareness program. There is still a vital need for countless other awareness topics. In order to truly encourage a security-minded culture -- cutting corners just simply won't cut it.
#3 Treating awareness as a casual activity (at best!)
The "tick-the-box" mentality is often blamed for businesses not quite offering security awareness training as much as they should. That being said, it's a little unfair to generalise every business as having inadequate awareness training (as well the fact that it's simply untrue).
A lot of companies are now putting pride into taking security awareness seriously. Whether it's computer-based training (CBT), presentations or awareness posters, more and more effort is being put in.
But there still isn't enough sufficient resources being placed on awareness. Many of these programs rely on disjointed or irregular activities that, while engaging, are not good for retaining information.
#4 Criminal Organisations Are Sitting On A Mountain Of Funds
Many cyber criminals have access large funds, widening their ability to hone their technical skills and allow for more sophisticated phishing attacks.
#5 Failing to consider security success stories
Awareness failures can be devastating. However, awareness failings are relatively rare when you consider all of the actions that users take on a regular basis. Awareness successes are less noticeable, but they happen on a regular basis. Consider how many spams and other emails are not opened.
Every time a user takes the appropriate action, it is a success. Again, it is easy to focus on the failures, and they can be bad. But when you look at awareness from a cost/benefit perspective, you do need to consider how bad things would be if all potential user failings did occur. No security countermeasure is perfect. Awareness is, like every other countermeasure, not perfect. Although, unlike many technical tools, there are no records created for blocked attacks.
There's no common sense without common knowledge
If you assume that users have more knowledge than they do, you will fail to address basic security issues. Take a look at phishing for example. The notoriety of phishing emails is rising, and so too is the basic underlying principles of these attacks. But, while it is true that many people now know about the foundations of phishing, you cannot assume everyone does. That being said, even when people are familiar with phishing, there's still no guarantee to the kind of depths of their knowledge.
Overall, perhaps the main problem is that security awareness programs are more difficult to implement than most of us care to realise. Awareness, in general, is a separate issue to what many IT leaders are used to implementing. It's a whole different ballpark of skill and discipline that, without these factors, means security awareness is unlikely to significantly improve any day soon.