Controls
November 14, 2017

A CISO Landmine: No Security Awareness Training

blog
5 min. read
By Mike Levin

Executives are slowly but surely recognizing the ramifications of providing the wrong answer when asked the questions: “Prior to the breach, did we train our employees in the acceptable use of company assets? Did we train them about what they could and could not do?”

Do you work for a company that requires employees to sign an annual “acceptable use” policy statement? Many companies fail to provide the training and/or to enforce the policies associated with one of the largest vulnerabilities of a business.

While working for the US Secret Service in 1991, I was one of the primary investigators involved with a major cyber breach of a large corporation. Secret Service and FBI investigators were sitting in a large corporate conference room with the president, CEO, CISO, and a group of corporate attorneys. On the phone was a host of IT managers and others.

One of the IT managers responsible for the server that was breached insisted that this incident was a “major brute force hack.” It didn’t take long, however, for the law enforcement investigators in the room to discover that the admin default passwords left on the server were actually the cause of the hack.

Fast forward 26 years to the Equifax hack, and we have very similar issues, with best practices not being followed, trained, and enforced!

As an executive, do you still have the attitude, “My employees should just be focused on their jobs and performing their tasks, not taking security awareness training or learning about the latest risks”?

CISOs Haven’t Fully Embraced Security Awareness Training

A recent F5 and Ponemon report, “The Evolving Role of CISOs and their Importance to the Business,” shows that CISOs aren’t fully taking advantage of the power of security awareness training. Let me outline a few relevant findings:

  • Only 40% of surveyed CISOs include security awareness training as part of new employee on-boarding.
  • Just slightly more than half (51%) have a formal security training program in place for employees.
  • Nearly a quarter (24%) rely on informal and on-the-job training to teach employees security processes.
  • Just 62% of CISOs are doing security awareness training at all.
  • Only 8% of the security budget is dedicated to security training.

This report makes it clear that most security executives don’t realize that just one serious security incident or data breach could destroy the growth and profitability of their companies. It’s more important than ever that every company incorporate enterprise-wide IT security strategy with their mission and goals.

How to Avoid the Landmine: Implement Security Awareness Training

We hear a lot about the “human firewall” and other concepts that imply we can somehow just patch our employees into fixing this problem. Throwing policies and procedures at the problem will not eliminate our growing vulnerability.

Frequently, IT managers convince C-suite executives to spend the IT budget on hardware and software security solutions. They totally ignore the fact that many employees are clicking on every email, link, and attachment they receive. Not training your employees on what they can and cannot do is no longer an option for any enterprise.

I have been training employees for over 10 years in security awareness best practices. I have spoken with thousands of employees, and a few things are clear:

  1. Employees want to know how to protect themselves and their families.
  2. Employees frequently don’t have any idea what they can and cannot do with company resources because there is insufficient training or reminders.
  3. Employees don’t want to be the one who screwed up and took down the company’s system.

Security awareness training is not overly complicated. It just needs to ensure that all three of these concerns are integrated into the training to achieve employee buy-in and participation.

Final Thoughts

We can no longer use the excuse, “We don’t have budget, time, or resources to train our employees.” All executives who are responsible for the success of your organization must recognize the need for all employees to participate in the safety and security of the business.

Security awareness training that achieves employee buy-in and participation will dramatically reduce business vulnerabilities, and the return on investment will far exceed all other IT expenditures.

Security awareness training has become a required part of security best practices that must be implemented on a recurring basis.

Making the decision to hire an external service to conduct necessary security training is an easy solution to ensure your employees do not put your business and assets at risk.

Need-to-Know

Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.

Every

9 hrs

a critical vulnerability—with the potential for remote code execution—is released.