The standard security tools like firewalls and antimalware suites do an adequate job of defending against most malware and exploits, but attackers figured out long ago that the easiest part of the security model to break or circumvent is the person sitting at the keyboard. Users are much more security savvy today than they were five or ten years ago, but they still can’t be expected to stay on top of emerging trends in malware or what the latest attacks are.
IT has to communicate with users on a regular basis to raise security awareness and ensure users know what to look for to avoid attacks.
Everyone knows they’re not supposed to open file attachments or click on links in unsolicited emails, right? At this stage in the game after all those headlines, it’s tempting to assume everyone has gotten the memo. Everyone exercises a healthy dose of cautious skepticism when online. Wrong.
The average user is definitely better educated about security risks and potential threats than he or she was a few years ago, but attackers are agile and prolific. Innovative new exploits and attack vectors emerge all the time and it’s unreasonable to expect users to be invested enough to stay on top of emerging threats on their own or savvy enough to detect and avoid potential attacks.
Spread the Word
Security is a culture—a way of life. It isn’t a tool you can deploy. It isn’t a point in time. You don’t just deploy some software and conduct a user training session to check off some boxes and then you’re done. The cyber criminals aren’t going to stop coming up with new exploits and attacks so you don’t get to stop actively protecting your network and endpoints. That means you have to keep up with security awareness for users, too.
Even users who’ve been taught and understand security best practices are not always on guard. They have their own lives and jobs to worry about, and keeping up with the latest security concerns is simply not on their radar. That’s why it’s imperative that you continuously spread the word.
Some spam or phishing attacks are so poorly constructed that anyone with an IQ higher than a donut should be able to recognize that they’re not legitimate. There are some attacks, however, that are much more sophisticate and extremely convincing. Even some that aren’t completely convincing are still good enough to catch someone off guard. And the attacker just needs one person to have an off-day.
If you’re one of the first organizations in the world to be targeted by a more sophisticated phishing or spear-phishing attack there may not be much you can tell users beforehand. But if you know about ongoing campaigns, just informing your users what those attacks look like would help towards defending your network. Attacks generally have identifiable elements, or indicators, that you can share with your users so they know what to watch out for.
Click here to read the complete post on the RSA Conference blog: Your Security Posture Is Only as Good as Your Security Awareness.