23 min read

And still nothing much done to educate our end-users!

Jul 1, 2018 5:39:05 PM


                                                                                                                                                    Picture by nd3000 | iStock

by Mohamad Ashokaibi

In Cyber Security often humans are the weakest link

It is a well-known fact that lack of security awareness puts businesses at tremendous risk today. We believe that ‘humans’ will always be the weakest link. DriveLock helps you educate your employees about security awareness.


Painful truth

Unaware. Careless. Innocent. Illiterate. Curious. Uninformed. Ignorant. Inconsiderate. Greedy. Naïve. Untrained…

The list of words would go on and on. Words we could use to describe the reason for which an employee did some harmful activity that resulted in a cyberattack. It does not much matter what the cause was because of two key facts; first is that most probably it would be too late to accuse as the damage had already occurred, and second is that we (as IT professionals and information security practitioners) should be blamed for that as well since it was our responsibility to make our end-users well educated. Maybe shocking but absolutely true.

It is a well-known fact that lack of security awareness puts businesses at tremendous risk today. We believe that ‘humans’ will always be the weakest link. This post on InfoSec Institute deeply discusses importance of security awareness but shares some scary statistics:

"50% of Internet users receive at least one phishing email a day. More alarmingly, 97% of the people in the world cannot identify a phishing email and one in 25 actually clicks on such emails."

While this might be the unpleasant reality, we have to act up to minimize the risk as much as we can. Organizations tend to invest big bucks in various types of security solutions and services (we know them all; policies, procedures & guidelines, perimeter security such as firewalls, email, endpoint and application security solutions, OS security, patch management, SIEM, data classification and DLP, and so on). Equally important however is to invest in proper security awareness resources.

Raising security awareness is the top cost-effective security measure


This article by Ira Winkler on CSO Online discusses why we can argue that security awareness training is the top cost-effective security measure. Here is one interesting paragraph:

"While performing a penetration test at one company, the security manager told me I should take a long lunch at a very specific restaurant, and just listen to conversations. I learned of the company's marketing plans for a top product. Going to lunch at dozens of restaurants near the National Security Agency, an organization with extensive security awareness efforts, I can hear nothing of any significance."

Furthermore, we should never forget that many IT regulations require official employee security education. Check out this recent post on HIPAA Journal discussing terrifying findings in a study which:

"Has revealed healthcare organizations are failing to provide sufficient security awareness training to their employees, which is hampering efforts to improve their security posture."

"When asked about the biggest concerns, there was an equal split between external attacks by hackers and internal breaches due to errors and employee negligence – 63% and 64% respectively."

Also the PCI-DSS standard according to PCI Security Standards Council necessitates in Requirement 12.6 to have a formal security awareness program, as follows:

12.6 Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.

Their guideline when not satisfying the above requirement is:

If personnel are not educated about their security responsibilities, security safeguards and processes that have been implemented may become ineffective through errors or intentional actions.

DriveLock Can Help

Looking into the details of cyberattacks, most of the successful ones included some sort of social engineering which exploits our human nature of having fears, obeying authority, trusting consensus, burning with curiosity, preferring convenience, loving free stuff, and the like. In this article on Infosec Magazine, the writer highlights social engineering as the biggest threat to businesses. In other words, all humans are vulnerable unless they are vigilant and well trained.

All of the above was the reason that DriveLock SE decided to launch the next-gen of their security awareness & education solutions. Smart SecurityAwareness is a solution where you can push your custom awareness content to end-users either at certain points in time (e.g., at 9am daily) or at certain events such as attempting to access unauthorized devices or executing blocked/unknown applications. The solution makes it easy to target specific recipients of awareness campaigns based on time (day, month, etc.), user group, computer group, and network type and location. The type of content can be images, videos, URLs (shown in a mini-browser), text and more. Such content is typically provided by the Information Security team or Human Resources Department.

How employees become your human firewall

Smart SecurityEducation is a solution where you get all the above features, plus ready-made rich education content including simulation tools, on-boarding programs, awareness videos, micro learning, flash cards, knowledge checks, and more. Topics covered are intensive; information security introduction, use of passwords, phishing & malware, social engineering, BYOD, reporting of security incidents, to mention a few.
Both solutions offer extensive auditing and reporting capabilities that can be used to measure effectiveness of material and training provided, and to help meet compliance requirements. Thus greatly minimizing the risk we face everyday, which is the ultimate goal we are all after.

"The concept of the DriveLock solution follows a multi-layer security strategy: Through various security layers such as encryption, application and device control with machine learning, DriveLock effectively secures enterprise IT infrastructures. With our Smart SecurityEducation solution, another important key layer of security comes into play, which strongly focuses on the security awareness of employees." - Martin Mangold, Director Cloud Business, DriveLock SE


Final Words

Bottom line is, a secure and well-protected environment is the one where security is part of its people’s culture. We should stop finger-pointing at wrongdoers and instead raise their awareness before troubles strike. Let’s make it the responsibility of us all. With DriveLock you can transform this process from being complicated, ineffective and irrelevant and make it simple, sustainable and highly precise!

"From our perspective, successful IT security must follow a holistic strategy that keeps an eye on the technical systems and devices as well as the people who work with them." - Anton Kreuzer, CEO, DriveLock SE

Mohamad Ashokaibi
Written by Mohamad Ashokaibi