Increasing users’ security awareness can be one of IT’s most difficult jobs. But here’s one technique that might help, even with stubborn users.
Even with all the technical controls IT puts in place, a company’s data is only as secure as the people who have access to it, making security awareness a critical piece of IT’s security plan.
That’s especially the case as criminals are developing new targeted security attacks against businesses and using social engineering to trick users into handing over information even if it’s protected by a firewall. Those new hacking techniques have made people the weakest link in IT security, according to a recent article in the Washington Post.
But the problem is that users don’t often pay attention to security training presentations or educational materials sent out by IT — often because they believe they know too much about security to be tricked. How can IT change that mindset?
One technique recommended in the article and by security experts to raise security awareness: having IT regularly test users by hacking them.
Tips for security awareness testing
The story cites an example of one company that regularly sends phishing emails to its own employees. The messages are designed to look like they’re from outside the company, and include enough red flags that users should be suspicious.
If they clink the link in the email, users are directed to a warning that the site they’re trying to visit might be dangerous. And if they click through anyway, they get a message telling them the mistake they’ve made and offering tips on how to avoid doing it again in the future.
That combination of harmlessly tricking users and offering them help can get people to understand that they could be putting the company’s data at risk. Here are some more tips IT can use to increase security awareness, even among stubborn users:
- Include managers and top-level folks in the testing, since they’re often the ones who are targeted by these attacks. Just be careful about offending anyone you shouldn’t offend.
- Keep track of the results of the tests to look for repeat offenders who might need additional security awareness training.
- Watch for other opportunities to raise security awareness — for example, if a user keeps an email password written down at his desk, and IT can use that to send an email from his account, with a warning about password security.