Importance of Security Training

Next Article

Future-proof Your Business

TRAINING is the best defence

While technology is critical in the fight against cybercrime, and processes are vital to maintaining the rules of engagement, it is your people that matter most – they require regular, ongoing training in security matters.

Avoiding security challenges within an organisation obviously requires utilising strong defensive technologies, but it equally requires employees to undergo training, training and more training, suggests Gabriel Le Roux, specialist account manager at ESET Southern Africa, an anti-malware and security solutions company.

“Online security is similar in principle to driving a car. When seatbelts were first made law, people had to adjust their behaviours to suit this new safety mechanism. In much the same way, people need to be convinced to change their behaviours to suit the demands of a digital world – despite this, however, many people in a business environment are given PCs to enable their work, but are not given any training around how to deal with security in an IT environment,” he explains.

“There are three angles to an effective security posture: first, there is physical security, such as gates and cameras, then there is the software level, which is where the heavy lifting happens, as companies seek to keep up with evolving security challenges. The final leg is the ‘people factor’, which may be the most crucial, as they are the easiest attack vector.”

Remember, he continues, that one well-thought-out email that dupes one individual in a business into clicking on a malicious link could provide access to your corporate data. A well-done email to a network administrator could conceivably lead to millions of rand in losses. With this in mind, it is imperative that all employees are able to recognise potentially malicious communications.

“Personally, I think such education should begin at school level – this is the digital era, after all – as this will not only protect children from a personal safety perspective, but will also inculcate a kind of security approach that will serve them well from a future business point of view,” states Le Roux.

“If you think about it, we teach life orientation, and since IT is a key part of life today, so IT security should be taught. Similar to how we teach youngsters to look both ways before crossing the street, so they need to practise the same caution when it comes to this new ‘e-street’ we are all travelling on.”

While this is not yet a part of school curricula, it is clear that business owners should understand the importance of having employees with a clear understanding of security, and should make basic security training a part of the culture from the moment they are initiated into the organisation, he suggests.

Everybody must train “You should be implementing programmes designed to ingrain security in your corporate culture, as it is ultimately something everybody needs to learn – from the lowliest employee to the most senior member of the board.”

There are a number of areas that should form part of the training, notes Le Roux, including the types of hacking (some 43% of attacks still come via phishing attacks), as well as the dangers of removable media, which may be infected with malware. Another key focus should be on passwords and authentication, which includes driving an understanding of why it is critical to regularly change your passwords, as well as instilling simple caution, such as not typing in passwords or viewing sensitive information if someone is standing behind you.

“If you are working remotely, then you need an understanding of mobile device security and cloud security, so you can understand how it affects a network. It is vital to have knowledge of what social engineering is and how it occurs and, of course, if you are working from home, you need to ensure your security there is adequate to protect your office network from intrusion.

“An organisation that covers all of the above will find itself in a good space, and achieving this doesn’t necessarily require the most expensive courses. No one needs a security degree to be good at this – it really is mostly simple and basic dayto-day logic.”

Inculcate good security habits Le Roux stresses that training employees around social engineering is absolutely critical, as it helps them develop awareness of how people are the weakest link, and assists them to understand how not to be that link, how to spot the con, and thus how to become more secure.

“The simple reality is that the more people there are who understand how the bad guys mine data and leverage it to convince you to do something stupid, the less often people will fall into such traps. While policies are vital in controlling your security posture, the secret to success lies in inculcating good security habits instead,” he states.

“Of course, you also need to regularly test that these habits have ‘stuck’, which means possibly bringing in what they sometimes call a ‘white hat hacker’. This is an expert who uses the same nefarious means the bad guys do to run simulated phishing attacks or password enumeration tests – where they try to hack company passwords using common hacking methods, including social engineering – to see how many passwords they can crack. What is amazing is how many times it has been senior, C-level executives that get caught out – which is a little ironic, as they are the ones paying for the course.” Other methods used by these experts include dropping an infected USB on a desk, to see if the employee will use it without question, or the basic walk around the office to see what can be viewed over people’s shoulders.

“The key to leveraging this expertise to drive home the security message is to ensure it is treated as a learning exercise, rather than an ‘I told you so’ moment that involves punishment. Rather offer incentives for those who don’t get duped, as a rewards-based approach is much better than ‘naming and shaming’. You want to encourage your people to have the security conversation in an open and transparent manner, after all,” Le Roux notes.

Even the smallest of businesses, he continues, can undertake such courses, as there are many free cybersecurity training programmes that are thus suitable for an SME of limited means, which will undoubtedly help to foster a much higher level of awareness.

“I feel that future-proofing your business against security threats is not only about having the latest technologies, but also about ensuring employees understand why they must never keep the same password for years; why their Facebook settings should always be on private; why applications must be kept up to date and so on.”

He concludes, “Of course, if you are making systematic changes to your business operations, such as with the current drive towards digital transformation, then you may be creating new attack vectors. Therefore, it is imperative to ensure training around this is added to the schedule, while you are consistently having employees brush up on all the old security faithfuls as well.”

There are three angles to an effective security posture: first, there is physical security, such as gates and cameras, then there is the software level, which is where the heavy lifting happens, as companies seek to keep up with evolving security challenges. The final leg is the ‘people factor’, which may be the most crucial, as they are the easiest attack vector.”