Why is security awareness such a big problem?

Perception

Users of our networks have the perception that a business network is a safe network. Because of this a user forgets all security boundaries once they are at work. Why you may ask? Because it is the common perception that a business network is a more secure and monitored environment. A user feels safe, while this isn’t necessarily the case.

Training is the answer

Training

So how do we create more security awareness? Training is the answer. By performing real life tests like phishing simulations, hiring actors to pretend they are IT staff and by being open with the results of the test, awareness is created. By letting the user now they can be a liability for the security of a company, they will realize that they have to pay attention to security. If well trained and aware of the security threats, people can be the best layer of defense.

The most commonly used method to train/educated our users/employees is the so called “general social engineering training”. This training points out the risks in general. For example, on your first day on a new job, you will have to complete an obligatory IT e-learning. This e-learning points out all the possible risks and threats and gives the new user a few tips how to avoid these risks and threats (e.g. change your password every few months). The problem is that the general training doesn’t stick into the mind of a user. The users don’t realize the risk that they are taking each time they open a malicious document or link. By training users in a simulation, they will experience how easily they get tricked into these mails, links and other possible security threats.

Of course all of these methods start from the top, the management. The management decides whether your information has to be protected to the best standards possible or that these are risks are so called accepted risks. If we look at recent examples of security breaches in the news, like Apple or Amazon which were all breaches by social engineering, shouldn’t we see the necessity to train our staff, to make our staff the next (and best) layer of security?

That question is the question you will need to ask yourself.