Posted: 3 Min ReadProduct Insights

Users: How to Turn Your Greatest Weakness into Your First Line of Defense

Unfortunately, IT managers too often do little more than issue a handout with a few guidelines and call it a day

When you plan the defense of your organization’s information assets, are you resigned to the fact that all your efforts will be made in spite of your user population? It’s easy to view the workforce as part of the problem – one of several critical attack vectors, and perhaps the most likely to be exploited. According to the 2019 Symantec Internet Security Threat Report, ransomware attacks against enterprises were up by 12% in 2018, accounting for 81% of all such attacks.

Most organizations acknowledge the issue of end-user vulnerability and make some effort to educate employees in the basics of prudent data handling and online behavior. But too often, IT managers do little more than issue a handout with a few guidelines and call it a day. Doing so enables them to check the box that they’ve done something, knowing that the effort will ultimately fail at some point. And can you blame them? They would prefer to spend time and resources on IoT defense or implementing a sophisticated zero-trust cyber security strategy. Employee training lacks sizzle.

Think of it this way: Your organization’s employees could be the first line of defense, not the weakest link.

But the fact is, the bad guys are coming up with new threats that target employees all the time. CEO scams are a prime example. The bad actors pretend to be the CEO, sending out an email to a high-level employee such as a corporate financial officer asking for money to be transferred to a seemingly legitimate destination. Instead, the money goes to the fraudsters. A textbook case was reported in early 2019 in the UK. An employee of a Scottish publisher, transferred almost £200,000 to a fraudulent account as requested by scammers pretending to be her boss. Peebles’ bank refunded more than £85,000, but the company is suing the employee for the difference of £107,984. The employee’s defense is that she had no training on how to spot email scams.

With such threats emerging, you can and should do more to prepare your workforce. Think of it this way: Your organization’s employees could be the first line of defense, not the weakest link. There are three basic requirements for a strong security awareness program:

  • Engaging. There is no substitute for effective communication. Sending out a printout or an email is not enough. Videos play a vital role, but videos must be high-quality to attract and hold employees’ attention. They must be topical, concise, and memorable.
  • Measurable. Are people viewing the videos? Are they retaining the information? A brief before- and-after viewer quiz can answer those questions. Quiz results let you know who is keeping up to date and who is not – and let the employees themselves know how they are doing.
  • Evolving. Because new threats are emerging all the time, security awareness information must be refreshed regularly in order to remain relevant. Just as cyber security defense strategies must continually adapt, security awareness training is never finished. 

Security Awareness Services

Symantec’s Security Awareness Services (SAS) delivers comprehensive security awareness training in a multifaceted offering consisting of more than 70 training videos and ongoing support. Videos cover everything from how to create strong passwords, to best practices for working remotely, and of course, how to avoid falling victim to the latest phishing and spear-phishing attacks. The production values of SAS videos are high. Skilled presenters deliver concise information clearly and engagingly. Some “scary” videos inject humor into a serious subject – the better to create an impression on the viewer. New videos are being added all the time as existing threats evolve and new threats emerge. In addition:

  • SAS web-based training is compliant with the Sharable Content Object Reference Model (SCORM). SCORM-compliant content is created once and can be shared and reused multiple times in different contexts without modification.
  • SAS includes a quiz for each video to take the pulse of user security awareness, pointing out where user knowledge is high or where more work is needed.
  • SAS includes newsletters, printable posters and email reminders for internal communication campaigns.
  • Security awareness is far too important to embark on as a halfhearted new-hire ritual. Defending against cyber attacks is a vital and ongoing discipline that’s part of every employee’s job. SAS will help you build a strong security awareness program to transform your organization’s employees from a demoralized rabble waiting to be victimized into an effective army ready to do its part to protect your organization.
You might also enjoy
Video
Feature Stories5 Min Read

5 Must-Have Elements to Include in Your Security Awareness Program

When your aim is to change the culture of an organization, awareness isn’t enough

You might also enjoy
Threat Intelligence3 Min Read

ISTR 24: Symantec’s Annual Threat Report Reveals More Ambitious and Destructive Attacks

ISTR Volume 24 is here, providing insights into global threat activity, cyber criminal trends, attacker motivations, and other happenings in the threat landscape in 2018.

About the Author

David M. Lickwar

Sr. Principal Certification Project Manager

David Lickwar project manages the development of the Symantec Security Awareness Service. Prior to his current role within Symantec Education Services, he executed and measured security awareness training programs in the Federal and private sectors.