Employee Security Training: If You Train Them, They Will Comply

Ensuring employees have the right security training and understand the risks can help improve online behavior

It’s well-known across all sectors that technology alone cannot defend organizations against cyberattacks. Why? Because of end user errors. Employees are working from anywhere and everywhere, oftentimes accessing corporate email via unsecured Wi-Fi networks, whether it’s a coffee shop, the library or a hair salon.

A new report from Duo Security, “The 2018 Duo Trusted Access Report,” found that mobility and growth have driven a 24 percent increase in the average number of unique networks that customers and enterprise organizations are authenticating from. That type of access poses risks, many of which employees don’t understand because they have not been trained.

According to recent research from Clutch, 64 percent of employees use a company-approved device for work, while only 40 percent of those who use a personal device are regulated when using that personal device. In addition, the survey found that 86 percent of end users check email and 67 percent access shared documents using their devices. Behaviors that employees deem safe can actually put enterprise security at risk.

As phishing campaigns grow more sophisticated, it’s increasingly more difficult to discern the difference between a fraudulent and an authentic email, but most employees don’t see the normal exchange of email and sharing of documents as a threat.

“Normal,” or accepted employee behavior, often presents the most dangerous security threats, according to Randy Battat, CEO of PreVeil. “Employees believe that information that needs to be protected is special, sensitive stuff that’s explicitly marked and that most of the everyday communications they receive and send aren’t a risk for their organizations,” Battat said. “The reality is that the majority of communications and an organization’s intellectual capital can be found in the ‘ordinary’ email.”

The Clutch survey also found that 76 percent of employees practice some form of password protection. Because of the frequent reminders they receive, employees are pretty good about changing their password. The survey indicates that employees have a general understanding of IT security threats and best practices, yet their companies aren’t communicating and training them to recognize all the ways in which they may encounter security risks.

What They Don’t Know Can Hurt

A strategy to mitigate risk should include a two-pronged approach. First, expand security awareness training programs to be ongoing and educate employees on all behaviors that create risk. The Clutch survey found that if a company’s employees don’t realize a policy is present, it is essentially nonexistent, but when employees are informed, they take steps to change behaviors.

When companies make it possible for employees to access sensitive information on their personal devices, they’ve opened up a veritable Pandora’s Box of issues. In addition to educating employees, “Companies can introduce measures to monitor and protect company-issued devices. If employees can access file servers on their personal devices—especially if there’s no security to watch who’s accessing what—it’s only a matter of time before information is leaked or exploited,” said Ken Spinner, VP of global field engineering at Varonis.

Embracing the BYOD movement has created formidable security obstacles that are extremely difficult to come back from because security teams can’t ensure the right protections on employee-owned devices. They have virtually no control when it comes to preventing personal data from merging with business data and vice versa; thus, they have little way of knowing when these barriers are breached.

In a recent report, Varonis found that 41 percent of companies had at least 1,000 sensitive files open to all employees. “These files are likely to be encrypted once an employee clicks on a phishing scam. Companies are often overexposed and under-protected. The biggest culprit, in many cases, is global access: files open to every employee within an organization,” Spinner said.

The problem is not one of how information is being accessed. Rather, the issue is that the sensitive data can be accessed in the first place. “If valuable data is exposed to everyone, it just takes one compromised account to cause problems. By securing data and limiting access to only those who need it, the potential damage of an attack can be limited,” Spinner said.

Kacy Zurkus

Avatar photo

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 62 posts and counting.See all posts by kacy-zurkus

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)