Your employees are not the weakest link. They are the primary attack vector. Most organizations continue to place more trust in technology-based solutions than on training their employees to be more aware of the threat landscape and able to recognize the red flags associated with a cyber-attack. Organizations tend to see their employees as liabilities rather than as assets, who, when security awareness training is done appropriately can be part of a more robust solution to many problems.
There are a right way and a wrong way to train employees on security awareness. The wrong way approaches training as a once-a-year or semi-annual exercise in which employees are gathered in the break room with snacks and subjected to a long, or sometimes too-brief, PowerPoint presentation. This method treats employees as a passive audience and inadequately engages them. Done wrong, security awareness training feels more like punishment than an opportunity to teach and inspire employees to be active contributors to their organization’s safety and well-being.
Interactive computer-based training is a central component of a comprehensive security awareness programs. CBT training can illustrate compelling stories and put the trainee is the position of someone who has been targeted. These exercises also teach employees to carefully check all the details in an email for telltale signs of potentially malicious content: a “From” address with a misspelling, a hyperlink that when you pass your cursor over it reveals the actual URL destination you will be taken to (and that will infect your computer), and the suggestion of adverse consequences if an action isn’t taken quickly and before confirming the email’s veracity.
Learning that dangerous emails often appear to come from reputable organizations or from someone you know and trust within your organization drives home the lesson: think before you click. Making security awareness training interactive ensures it takes deeper root in an employee’s mind.
The central goal of security awareness education is to modify an employee’s behavior, so he or she doesn’t fall for social engineering — the art of manipulating, influencing or deceiving somebody to take any action that isn’t in either his or his organization’s best interests. Empower your users with the information they need to become your organization’s last layer of defense.
Ref. KnowBe4 Whitepaper “How to Fortify Your Organization’s Last Layer of Security – Your Employees”