We live and operate in a world linked by electronic equipment, services, system and software and – for the vast majority of the time, they work pretty well and we can say without a doubt, they do not make mistakes. Occasionally systems may malfunction but that is generally down to an error in the way they were programmed or configured – by a human.
So it is with the cyber security threat landscape; security devices like firewalls, anti-malware, email filtering, etc. work pretty solidly in protecting organisations. The vast majority of breaches start off with an initial foothold via the manipulation of your users: also known as social engineering.
So what should you do?
When it comes to reducing the risk posed by user behaviours and social engineering, there is no one solution. Good logical controls, security practices and policies can reduce the impact of a user or device being compromised.
The final layer of protection is prevention via education: utilising information security awareness training to empower your users to spot suspicious behaviour and attempts to manipulate them.
Where to begin with information security awareness training?
There are a few key considerations when providing training to your users, including:
- The delivery method, such as in a classroom or via an online course.
- The frequency of training, such as monthly, weekly or annually.
- Assessment/testing methods – penetration testing, exams or phishing simulations.