Human Risk and the Impact of Security Awareness Training

By Eric Noonan • May 2, 2016

Many of us travel for work, and as such, we must connect to a number of untrusted networks in order to stay on top of things. These public networks, while seemingly non-threatening, can be a hostile environment with malicious users seeking to extract any sensitive data they can, such as credit card information, personal information, and passwords. Some may say that this is unlikely and that if there was a malicious user on a public network, they would be protected with the use of encrypted services. However, I would argue that this is not the case at all. Often adverse agents will use “passive” monitoring techniques to intercept data being sent over the network. This can be accomplished with any packet sniffing tool but will only allow an attacker to see traffic that is “in the clear” or unencrypted. If an attacker intends to intercept data transported via TLS, SSL, HTTPS, or from encrypted services like Gmail, Slack, or Dropbox, they need a way to subvert the in-transport data protection mechanisms.

One of the most common methods an attacker can utilize to defeat transport encryption is a Man-in-the-Middle (MIM) attack. At a high level, an attacker can sit in-between a target user and the secure service they are communicating with, break the established secure connection between the user and the service, and force unencrypted clear-text communication of information back to the victim – data that can be easily captured by the attacker. This all happens in the background, almost seamless to the user.  In such an attack, the only noticeable difference is likely to be the use of “http” vs. “https” in the address bar of a browser or a missing lock icon, which is likely not enough of a warning to alert the user to what is happening unless they have been trained to detect such an event.

If users do not understand basic attacks that can deceive them into letting attackers through the front door, it is bound to happen and remains a legitimate concern for their organization. Human risk is difficult to mitigate, even though it is one of the easiest and most common weaknesses for an attacker to exploit. Organizations are realizing this, and rethinking how they provide security awareness training to their employees. Security Awareness has long been a compliance-based necessity, but more and more organizations are reaching beyond compliance and trying to achieve best practice standards.

Educating your employees on common cyber threats like SSL spoofing, phishing attacks, and social engineering can reduce your organization’s human risk level. According to Forbes magazine, in 2015, companies spent $1 billion annually on security awareness training in attempts to reduce human risk. When combined with testing procedures to collect relevant metrics, a security awareness program can have very real, tangible effects on your organization’s overall risk.  However, building out an effective, mature, security awareness program is not a small undertaking. Understanding what training to provide to particular employees, and how to then test them to ensure they are able to apply the information can be difficult and time-consuming. As organizations begin to recognize the value in addressing human risk, the need to implement security awareness capabilities programmatically and strategically becomes ever more necessary.  Approximately 70% of cyber attacks use a combination of phishing and hacking techniques, with the increase in technical security and hardened defenses, end users are proving to be easy targets for attackers.

If your organization is struggling with controlling human risk and implementing an effective security awareness program to do so, CyberSheath can assist you in constructing a program to train your employees on a variety of security topics in order to enable a broad security mindset, and address behavioral risks as they relate to security and ultimately reduce the number of security events due to human risk. We provide services that assist clients in building and maintaining security awareness programs that not only meet compliance requirements but go above and beyond to impact an organization’s human risk level through effective policy/program design, implementation and a proven metrics framework.

CyberSheath Blog

How to Safeguard Your Company from Phishing

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none…

3 Tools to Help Defend Your IT Infrastructure from Threats

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks.  CyberSheath can help. We offer services to build on all the great work you have already done…

DNS Filtering for Additional Protection of IT Systems

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.   What is DNS filtering and why do you need it? Domain name server…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO