Too often, the human factor is overlooked in IT security for business. Yet the user behind the screen is in a front line position, well placed to effectively shield the system from IT risk. Providing of course, that they are aware of the issues and have received the necessary training.
"Most IT problems are located between the keyboard and the chair." Behind this well-known quip by German philosopher Klaus Klages is the everyday reality facing IT managers and CISOs: end users and poor practices are often the weakest link in the IT security chain.
It's easy for users to infect their computers, whether by viewing suspicious websites, uploading malicious attachments or using corrupted software. These events bring a host of problems in their wake, including data theft, ransom demands or spying via a webcam or microphone. According to "The Global State of Information Security® Survey 2017" by PwC, almost one French business in three (32,2%) believes that its employees accidentally caused a number of cyber attacks in 2016. "It's true that the easiest way to hack into an IT system is to use the IT resources of an ordinary user. An employee who isn't aware of the risks or has not been trained to use best practices is the ideal Trojan horse," says Matthieu Bonenfant, Chief Marketing Officer at Stormshield.
Making people part of an IT security strategy
Making employees more aware of cybersecurity issues is not only necessary but a matter of urgency. "A well informed user is already able to avoid a significant number of risks," points out Matthieu Bonenfant. Particularly as the threat rarely comes from employees who are truly ill-intentioned, but is more often the result of carelessness or bad luck.
However, according to the white paper by IDC/Splunk published in June 2016, only 12% of businesses interviewed identified employee-linked IT threats as their main concern, as opposed to external attacks. Moreover, less than half of respondents (41%) had already set up a CERT (Computer Emergency Response Team) dedicated to incident response.
Although particularly vulnerable target groups (executives, managers, IT staff, managerial assistants and financial officers) clearly take priority in terms of efforts to raise awareness, every single member of staff must be trained in business IT security.
Methods for raising employee awareness of cybersecurity
A number of training methods exist to help employees adopt good practices in IT security:
- IT charter, to formally set out and share good practices,
- e-learning sessions, for employees to follow training at their own pace,
- group training sessions, for feedback and emulation,
- participative fun activities, such as quizzes, social engineering hacking tests, or serious games ,
- live-hacking sessions, reproducing an attack.
Whatever the format adopted by the company in raising awareness, a number of basic rules must always be respected:
- provide encouragement and support through senior management,
- include practical content linked to real user habits,
- limit content to a few important issues, selecting those most pertinent to the business environment, but cover them in depth,
- make training available to all employees and not just a few,
- check acquired knowledge after training,
- organise regular refresher courses in response to fast-changing threats.
As Matthieu Bonenfant says, "efforts to raise awareness are part of a multilayer security policy, with end users as the top layer. Users should never be perceived as a problem but as one of the levers of security." This important nuance should be passed on to employees, in order to encourage a greater sense of responsibility.