AUSTIN, Tx. -- IT pros have mixed feelings on how effective employee training initiatives are in improving their company’s overall security posture. While employee security training can be a cost-effective way to improve awareness, it does lack some of the scalability and automation of other technical-based solutions.
Robyn Edwards, a systems administrator at PermiaCare, a mental health and addictions services provider based in Midland, Texas, said that the efforts it has made to educate employees on security issues have helped provide context for users who may not understand why certain activities are blocked on the corporate network. Edwards spoke on a security panel at the recent SpiceWorld conference in Austin, Texas last week.
The approach at PermiaCare includes user training, monthly phishing tests, and a newsletter that Edwards sends out each month that highlights a certain security topic. Edwards said that by keeping the newsletters to one page and connecting security topics such as HIPAA or phishing to how it impacts the company, she has seen high employee engagement.
“The phishing email test has become like a game,” she said. Users call her excitedly when they have correctly spotted a phishing attempt whether it’s part of the test or a real-world example, she said.
Research from Spiceworks has found that employee training tools are one of the most effective ways for smaller businesses to improve security, especially from a cost perspective.
“It may just be a matter of when you are onboarding new users to make them aware of these things or send out weekly emails,” Spiceworks senior technology analyst Peter Tsai said. “There are also established tools out there where you can pay people to phish your users and they’ll give you reports on who are the problem users and what remedial steps you might want to take.”
Tsai said that for big companies with more than 1,000 employees, they have a huge attack surface, so may consider it too big of a burden to ensure every employee is on board.
In a larger company “you don’t necessarily know everyone personally,” he said, “and there’s a lot of people out there that hackers could be attacking, so it might have the perception that you need more automation, or just a more systematic way to detect threats and deal with them.”
Jesse Lewis, director of IT at the Association for Manufacturing Technology (AMT), said that in a lean organization like his own, he isn’t a big believer in security training for users, instead relying on open communication between staff and the IT department as security issues or questions arise.
With this approach, “we must be highly responsive, but so far it has worked well,” Lewis said in a panel discussion at Spiceworks. It does educate users in a general sense by giving them the basic understanding of what to be aware of when it comes to phishing, for example.
“Smaller phishing emails are the ones with links, [which are] easy to detect and filter,” he said. But other phishing attempts may require an employee to verify information outside of the email to ensure that it is legitimate. Lewis trains his users so that if an email indicates a change of process or the handling of any sensitive data, they must validate and verify outside of the system. For example, calling someone using a phone number that is not in the email signature.
As director of IT, another part of Lewis’ responsibility is to keep tabs of emerging security threats that could impact the organization. A recent example is the emergence of devices like the Amazon Echo. When the news broke of the Amazon Echo being subpoenaed in an Arkansas murder investigation in 2015, Lewis said he immediately drafted a policy that forbids the use of such personal assistant devices in the workplace. The organization deals with NDAs and other sensitive information, so the risk of a device like an Amazon Echo listening in is too high, Lewis said.
Erich Kron, a security awareness advocate at KnowBe4, said that it is important for IT pros to educate users based on threats that are specific to their industry and their job. For example, in the real estate industry, he has seen an increase in escrow redirection phishing. Hackers ask for a change to the account number in a wire transfer, posing as a buyer or agent.
Phishing often relies on an “emotional tug” so Kron suggests IT pros train users to step back before they react. He acknowledges that keeping a company secure requires a layered approach.
“There isn’t a single thing out there that is a single bullet, the blue pill that’s going to solve everything,” he said.
It is important for users to understand how a business hack could impact them, he said. If a company loses money from a security incident, there could be layoffs.
“People need to think it’s relevant to them,” he said.
Disclosure: Spiceworks arranged and paid for Nicole Henderson’s airfare and hotel costs to travel to SpiceWorld.