Part 1 of 5: User Education
What Is It? The users of your information systems are the key to your organisation’s success. These are the people you have sought out to perform key roles in the organisation and the very prosperity and growth of the enterprise hinges on their engagement, capability, and capacity to deliver. Easily the most important element of your team, they are sadly also the largest cause of cyber security issues that pose both potential and actual risk.
This is by no means an assertion that people are an absolute risk. We’ve probably all seen the numbers that paint a picture that the source of breaches is, at a majority, caused by insiders. Let’s not blindly assume these are all malicious because they’re not. Some are, yes, but human error, a lack of processes and controls, and sometimes leadership can cause things to come off the rails.
People click on links in phishing emails. People accidentally expose sensitive information. People, in the interest of wanting to be helpful can sometimes hold the door open for strangers. Of course, people also get angry and feel slighted by their employer, clients, or colleagues and sometimes think that the grass is greener on the other side.
User education can help a lot of these issues, but it will never be a cure-all, but it can arm your users with the knowledge they need to be the first and last lines of defence. In the era of highly mobile workers, they don’t always have layer upon layer of defences in the office network, so often they are their own best mitigation strategy. A Master Warrant Officer I once had the privilege to work with referred to this as a “DFWI Policy”. Message me if you’d care to know what that is.
Where Do I Start? There is a train of thought that user education should begin before we even hit school age. In our times, adults in their mid-20’s do not know a world without the internet. We carry on through life oversharing on social media, getting all our information online, and often interacting with others completely electronically. Odds are that by the time we hit the workforce, we’ve not developed much of a business cyber security awareness unless we’ve been burned. Badly. And more than once.
While I could say that where we start is with children and teaching safe computing habits early, the reality is that once we enter the workforce, we learn quick about cyber security in one way or another. How we learn is a different matter. Many organisations have policies regarding use of electronic systems from email to internet and what is and is not allowed. Perhaps they have an on-boarding program and a required set of learning tools to complete. In all but some cases, these are basic at best and non-existent at worst. We then get stuck into the daily grind and going through the motions without any further mention of security but for the office banter and occasional newsletter.
The best place to start is at the beginning, followed by regular updates to remind and augment the collective knowledge of our users. The threat landscape is evolving and so should our ability to defend against it beyond the dark, dingy server rooms and windowless pits and cubicles that we IT folks inhabit. The workforce must be a cohesive layer in that defence in depth strategy.
First thing is to conduct a risk assessment of the organisation underpinned by some basics. We all use email and we all browse the web and we all use common online applications. This training is readily available, repeatable, and easily customised to your organisation. Better still, that basic training is portable to the user’s home environment, so they and their families can also take steps to protect themselves. In our household, we browse the web, send email, and do online purchases, banking, and bill payments. Most households are the same, so these are good fundamentals.
The difference is understanding the business and the unique risks it faces. Are you a research and development company with terabytes of intellectual property? Are you a financial services organisation with millions of personal records and financial holdings worth billions? Are you a small services company with a list of your valued clients? The unique elements of individual businesses should form a part of your user education.
Your training should be based on the commonalities we all face, but also includes consideration of the unique elements of your business. Your employees may face specific situations and threats and need to know how to react.
How do I make It Work? One part of user education I generally disagree with is a complete “don’t do this” or “don’t do that” approach. Honestly, it makes us feel like children. I’m sure every one of us had plenty of this growing up. We’re adults. Treat us as such. When I sit in on training, don’t just tell me what NOT to do, but also tell me what TO do.
For example, when a spam email is received, instead of saying “Don’t click on the link or else bad things happen”, wouldn’t you rather tell someone to ask questions, delete the message, or take a proactive step like showing them how to hover the cursor and see the URL it connects to? Doing something positive engages people and makes them stop and think first.
Keep it fresh. Continually update your training material and make it relevant to your business and the activities of your users. Most of us consume our news electronically these days, so training should contain recent events and examples to learn from. Many are tempted to use new stories, but odds are many of us have seen them. Using readily-available resources from YouTube and many other content-rich sites presented in a more humanised manner than stoic newsreaders is often far more entertaining and compelling. I’m willing to bet many of us have fallen asleep or nearly fallen asleep when the content presented is too dry.
Beyond the content, consider your presentation. Sometimes trips to Security Operations Centres or anywhere but the boardroom to see things in action is great. I’ll acknowledge it’s not always feasible, so having a great presenter who engages with your team beyond simply reading off a PowerPoint presentation is a must-have. Speak WITH us, not TO us. There are a lot of great training organisations out there ready, willing, and able to provide a great user education experience.
Pitfalls? Besides stale content, having too much training or not enough training often becomes a pitfall. We’re busy, so any engagement of this type needs to be worth our time and provide value. If we feel like we’re always undergoing end user education, we get the impression we’re always doing something wrong that needs to be corrected (I should not this is centric to cyber security – many of us love training otherwise to improve our skillsets and advancement prospects!). On the opposite side of the coin, end user education that is rare or non-existent may lull us into a false sense of security. We become complacent and more error-prone. Consider what works best for your team and schedule your education accordingly.
Ghosts in the Machine? Absenteeism is one element. None of us want to be “forced” to undertake end user education for one reason or another, so often we’ll be busy or unavailable just to avoid the whole ordeal even when we know we can attend long in advance. End users need to understand the value of this endeavour and it’s not intended to just waste their time and make the shareholders think falsely that everyone is doing the right thing. End user education from a business perspective is a great investment because people are the first and last lines of defence, and educated users are more likely to leverage that same knowledge away from the office which ultimately benefits them. Most of the time they’re paid to attend training as part of their regular compensation and savvy users are valuable. If you’re going to make your users attend, make sure it’s for the right reasons and demonstrate the value.
Anything Missing? Some organisations user end user education as part of their on-boarding process, but that should not be the end of it. Annual training is a good idea, even if it’s included as part of an objective for their performance review. Some businesses have a KPI for training, so I would suggest that cyber security awareness is included if it isn’t already. There are many ways to accomplish this… take the time to understand how it will work best for you.
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock