When weighing up the biggest security hazards to an organization, it may come as a surprise to discover that the End User within the organization is often the first to compromise security. Through no fault of their own, and mainly due to a lack of awareness, employees frequently open the virtual gates to attackers.
The End User is the person who uses the software or hardware after it has been fully developed, marketed, and installed. It is also the person who keeps calling the "IT guy" with questions about why the product isn't working correctly.
With the rise in cybercrime as well as the increase in the consumerization of IT and BYOD, it is more important than ever to fully educate employees about security attacks and protection. Although BYOD has given them an increased level of flexibility, it has also given the end user even more potential to cause security breaches.
Bring your own device (BYOD) refers to employees who bring their own computing devices - such as smartphones, laptops and tablet PCs - to work with them and use them in addition to or instead of company-supplied devices. The prevalence of BYOD is growing as people increasingly own their own high-end mobile computing devices and become more attached to a particular type of device or mobile operating system. BYOD means users must be aware of the risks and responsible for their own ongoing security, as well as the business.
Threat actors actively target end-users as a primary route to compromise. Some criminals may be targeting the end-user directly, for example to conduct financial fraud, others will be leveraging the user to gain access to the organizations IT infrastructure. It is important to note that threat actors can target end users on their home networks and mobile devices, who will then unwittingly bring the “infection” inside the organization.
Increasingly these days, the criminals use a technique called spear phishing; an attacker sends a highly targeted email, often with personal contextual details that fools the user into clicking a link and, unknown to them, downloading malware. Once this has been downloaded, it provides access to the end users device which is used as a launch point to harvest network information and expand control inside the network.
Additionally, spear phishing can be used to fake a page the targeted ender user is familiar with, such as Dropbox, and ask them to login. The end user will not be able to login but in attempting to do so the fake page will record their login credentials.
Due to the detrimental ramifications, it is vital that end users have a full understanding of the most common ways for threat actors to target them. This includes educating employees that they will be targeted, encouraging them to be vigilant at all times, teaching employees what qualifies as sensitive data, how to identify and avoid threats, acceptable use policies and security policies.
It’s also crucial that end users understand their role and responsibilities in maintaining the organization's compliance with relevant regulations, such as PCI DSS for payment card data or HIPAA for health records. In short, educating the work force is critical and is a key requirement of information security standards such as ISO27001.
There are a number of ways that security awareness training can be delivered to end users. The most popular tends to be the e-learning variety, where online courses covering the essentials of security awareness are mandated for all employees.
This would teach the user that they are a target, how to look out for social engineering and phishing, password security, handling of sensitive data, plus any specific compliance-driven requirements. This is good for compliance and building a basic level of awareness, but it might not engage the user as well as it could.
The most effective way the leader of an organization can deliver practical and memorable education is to make it real and physically demonstrate what can be achieved as a result of an attack. Taking employees through a real life example of someone clicking an email which looks authentic presents what takes place behind the scenes and makes evident the power the attacker acquires. This illustrates precisely what a threat entails in an easy to understand and influential manner.
Employees who manage both their work and private lives on one device access secure business information, as well as personal information such as passwords and pictures. Ensuring that they know the right procedures for accessing and protecting business information is crucial. Making it personal and teaching employees how to protect their own data adds value by highlighting how a threat could impact their personal life as well as their employer. Implementing best practice will then become second nature as people adopt the same practices in both their personal and professional lives.
Although end user education will help to prevent the risk of human error, it’s impossible to eliminate it completely.
In order to take control and minimize risks, end users should only have access to the information necessary for them to perform their roles. Processes and technology can be put in place to limit and control what information end users can access within a network as well as the actions they can take.
As a final point to consider, the security of an organization relies on education. Begin educating yourself and your employees by implementing quarterly End User Education. For more information on how Killian Consulting can help you:
Sourced from Ben Rossi, author for Information Age.
The Cog Blog is a collection of important articles about the Cogs of your Business. Some of the blogs are written by Killian Consulting, and others can be found throughout the web. Sources have been cited.