It would be awesome if everyone was passionate enough about security to be constantly vigilant–but it’s completely unrealistic. As an IT or security admin you have to come to grips with the fact that it’s your job to continually educate users so they know what to watch for:
Everyone knows they’re not supposed to open file attachments or click on links in unsolicited emails, right? At this stage in the game after all those headlines, it’s tempting to assume everyone has gotten the memo. Everyone exercises a healthy dose of cautious skepticism when online. Wrong.
The average user is definitely better educated about security risks and potential threats than he or she was a few years ago, but attackers are agile and prolific. Innovative new exploits and attack vectors emerge all the time and it’s unreasonable to expect users to be invested enough to stay on top of emerging threats on their own or savvy enough to detect and avoid potential attacks.
Spread the Word
Security is a culture—a way of life. It isn’t a tool you can deploy. It isn’t a point in time. You don’t just deploy some software and conduct a user training session to check off some boxes and then you’re done. The cyber criminals aren’t going to stop coming up with new exploits and attacks so you don’t get to stop actively protecting your network and endpoints. That means you have to keep up with security awareness for users, too.
Even users who’ve been taught and understand security best practices are not always on guard. They have their own lives and jobs to worry about, and keeping up with the latest security concerns is simply not on their radar. That’s why it’s imperative that you continuously spread the word.
Some spam or phishing attacks are so poorly constructed that anyone with an IQ higher than a donut should be able to recognize that they’re not legitimate. There are some attacks, however, that are much more sophisticate and extremely convincing. Even some that aren’t completely convincing are still good enough to catch someone off guard. And the attacker just needs one person to have an off-day.
See the full post at the RSA Conference blog: Your Security Posture is Only as Good as Your Security Awareness.