Organizations consistently struggle with the need to maintain a well-trained, well-informed, workforce but relegate the need to online Computer Based Trainings (CBTs) that provide little true behavioral changes. Yes, CBTs can provide reinforcement of organizational items, but how effective are they if the material being presented is “boring” or simply requires pushing a play button?
A recent paper from Cornell University identifies that proper security training in a workforce is suffering from a lack of engagement or appropriate materials and information. This is usually through not understanding the workforce, or equating the cautionary information to their role in the organization. The use of cookie-cutter presentations and generic presentations results in training that may provide a checkbox for compliance but provides little in the way of assurance of behavioral changes.
Alarmingly, in most organizations, the same training is presented to all workforce members regardless of their function or role. This allows for workforce members to believe certain aspects of the training may not pertain to them and mentally “check-out” for large segments of the information being presented. For example, most information security training speak to the need to ensure unauthorized devices are not plugged into organizational assets; which is a valid concern. However, the training often does not identify what constitutes “unauthorized devices”, nor does the training identify how a particular user can prevent this from happening.
Posit this: your organization has bring your own device (BYOD) policies that allow access to organizational information from a workforce member’s smartphone or tablet. With the BYOD policy in place, the workforce member may believe the policy authorizes their device to be connected. However, there is a large difference in allowing access to email, for instance, and connecting a smartphone via USB to an organizational system. In the former, this limits the access of the device and when used in conjunction with mobile device management (MDM) protections can limit the footprint of BYOD. In the latter, however, USB connectivity often allows full access to the data on the BYOD item and the system it is connecting to. If the BYOD item has unknown malware installed, now it has been provided access to the network using what is believed to be an authorized device.
What Can You Do?
These types of insider threats, while not intentionally malicious, identify how proper training can mitigate the risk to your network. While generalized online training will always be a necessity, include role-based items such as the below that speaks to your workforce, not simply at them:
- Use common reasons such as downloading pictures, playing music, or charging their device
- Identify how activities performed in their personal life with the BYOD item may compromise organizational security
- Use real-world examples to reinforce information security need instead of purely hypothetical items
- Include interactivity into presentations
- Provide incentives to reinforce behaviors that equate to topics presented
Ultimately, there is no way to prevent insider threats 100%. However, by more properly understanding workforce education, training will not simply be a compliance item but rather an assurance process.