In a previous life, I worked as a network tech for an internet service provider. We had a saying around the shop that our job would be great if not for the end users and their issues. Networks have come a long way since then; however, one object within networks has not changed – we still have end users. If you stay up with current trends in cybersecurity, you have seen the stats – something like 96 percent of all network breaches occur because of end-user interaction with malware. Yes, that is right – someone clicks something they should not click. End users!
With all the security practices IT professionals have at their disposal, the technology, the cybersecurity skills, the certifications, it all comes down to a single click of the mouse. What are we to do?
The Challenge of Preventing End-User Vulnerabilities
I have been in many schools where the IT teams have solved the problem by not allowing end users to do anything on their networks – strict access only. While this may work (or not) within an academic environment, it impedes the productive workflow in a corporate environment.
As our technology changes, our network’s borders are dissolving, and the attack surface is increasing for several factors, including evolving endpoints and mobile access to resources and data.
The bad actors are also evolving. They are using modern technology and tools to access networks. As their skills and resources have improved, attacks have become more advanced. Larger corporations in particular face advanced persistent threats, where the bad actors spend time researching the target, getting to know how it works and then targeting, you guessed it, the end users.
And their scams and phishing attacks are getting more complicated. New threats such as the Unicode domain registration trick proved successful by Xudong Zheng, a security researcher, show how easy it is to fool end users into thinking they are on a secured trusted site when actually they are not.
Some IT pros will say that training end users is a waste of time, as they will click through the training but not heed the warnings. That end users are of the mindset that network security is someone else’s responsibility or that if antivirus software is running, they are protected, or that really, there is nothing of importance on my computer.
Arming the End User, the First Line of Defense
There is another theory, however, one of which I am a proponent. It is the theory that end users on our networks are not the problem, but, in fact, our first and most important line of defense!
First, we must define an end user on the network. Think about it, any one of us using connected devices on the network is an end user. Yes, that’s right. We are all end users.
As the bad actors find more ways to bypass network security, it becomes the responsibility of the end user, or the human firewall, to recognize and stop attacks before they can cause damage on the network. It, therefore, becomes that much more important to train and prepare network users about attacks.
So, how do we accomplish this with all the criticism about user training? In my perfect world, I would require everyone who touches a computer to get the CompTIA IT Fundamentals certification, which explains what technology is, how we use it, what types of risks exist and how we can mitigate some of it. Basic IT knowledge.
Now, to quote the J. Geils Band:
"Yeah, now listen,
It's okay, I understand.
This ain't no Never Never Land."
While it’s unrealistic to require every end user to hold an IT certification that focuses on basic computer literacy prior to touching one of our network computers, we do need to make sure they have adequate training covering these concepts. We start by knowing our audience. While many of the people on our network are tech users, how many of them understand technology?
Developing End-User Training That Works
Let’s start by staying away from what I like to call firehose training, where we spend several hours talking about things like the importance of changing passwords every 90 days. Trying to fit every aspect of security training into one session to check the box on a compliance form and then forgetting about it until the next year’s requirement rolls around does not cut it.
First, we need to evaluate the level of knowledge that users have about securing personal information and our network.
Next, we need to prioritize our objectives and create a plan to train, assess and review on an ongoing basis.
Training should include adult learning principles and participants’ prior learning experiences and engage the participants through structured activities. Include the participants in the planning to find out what they want to learn.
Assessments of training can take many forms. There are several providers in the market that help organizations assess training by performing phishing tests or USB drops and providing detailed reports on participant responses. There are also plenty of free, online resources that provide steps and even instructions on building successful tests in house.
The ROI of Cybersecurity Training
The discussion of cost always rears its ugly head when it comes to training users on the network. Budgets are tight, and it can be tough to find the money to conduct end-user training when we have so many other IT projects going on. Or it may be that you simply don’t have time to come up with a training program on your own.
If this is the case, the U.S. Department of Homeland Security may be of service. It has many resources available through the Stop, Think, Connect program. From here, you can find information, tips and advice as well as promotional material for information security. Another resource is the U.S. Computer Emergency Readiness Team, which provides information about current threats and protecting information.
I always like to point to the headlines when it comes around to discussing the return on investment (ROI) of end-user security training. Do we really want to end up like “them” (those companies hit by a major data breach or ransomware attack)? What is the value of that compared to investing in our workforce?
Cyber-Awareness as a Life Skill
These skills will be used on the job and at home. They are valuable skills you are providing to employees, a job benefit or perk for them. Plan monthly lunch-and-learn sessions where you discuss new technology, social networking, wearable devices or whatever, and cover topics like how they work, the benefits and drawbacks and what does it mean to connect the device to the network or share information. These sessions provide knowledge to the user but also help them understand security risks.
Professional development is something that organizations should be promoting with cybersecurity training. Everyone wants to gain more skills and succeed in their career, and cyber-training could be blended into a continuous training program.
We need training and a license to drive a car, and we have specialized training and certifications for many job roles in all fields. With the digital age growing by leaps and bounds every year, why would we hold our employees back from getting the training they need to understand technology and the security risks associated with using all of our various devices? Technology skills are becoming life skills that everyone is going to need to function, not only on the job, but in our daily lives as well. How will you address your company’s cyber-training needs?
I am Stephen, and yes, I am an end user!
J. Geils Band please exit my blog.
“Na na na na na na na na na,
Na na na na na na na na na,
Na na na na na na na na na”
Whether you're a novice end user or the one training them, CompTIA has a certification for you. Find out which CompTIA certification is best for you.