This is the second piece of our five-part series discussing security concepts every business should consider. Every company, should dedicate time and resources to training and testing employees to identify, react, and respond to IT security related events.
It’s no secret in the IT security industry that hackers will attempt to take the path of least resistance. Often, this involves tricking employees of a company into divulging sensitive information that lead to the compromise of IT assets and data. Phishing, spear phishing, social engineering, and pre text calls are all part of attack campaigns. These techniques are aimed at taking advantage of ill prepared employees.
A recent article posted on esecurityplanet.com states that 60% of breaches were conducted by targeting and attacking a company’s employees. This statistic alone indicates why training and testing your employees is one of the top five critical security principles that every company should employ. While many companies have realized the importance of defending against these attacks, trends indicate that not enough is being done to address the problem. Most company’s call for annual security awareness training. The problem with this approach is that it may create a false sense of security that a one-off training event is enough to properly prepare individuals to recognize, respond, and react to social engineering attacks. To be frank, it’s not enough.
Your company needs to prepare your human assets for these attacks. We recognized the need for a change in the approach to preparing employees for social engineering attacks. That’s why it’s important for companies to bring forward real world scenarios where employees can relate, share, and understand the types of security challenges they will be faced with.
The missing link that companies often fail to utilize is the testing of their employees. Within coreSecurity, Rigid Bits, has developed our own security awareness training models. We’ve also spaced out the assessment and training process over time to eliminate the problems with one and done awareness training models. The goal is to remove the false sense of security from a one-time training event, to a real sense of security where employees are prepared adequately and their awareness can be used to detect, alert on, and stop security events.
Up next, we’ll tackle the challenge of detecting and managing vulnerabilities.
Here are a few links for other resources in this series:
- Develop and assess your security program
- Train and test your employees
- Identify and mitigate vulnerabilities
- Secure your endpoints
- Identify threats and respond accordingly