Study shows the limits of IT security training

IT security training is a critical layer in any company’s plan to protect data – but new research shows that even highly trained users are susceptible to hackers’ new sophisticated attacks.

As hackers come up with new ways to get around companies’ IT security controls, there has been an explosion of malware that goes completely undetected by standard antivirus programs, according to a recent study from Palo Alto Networks.

Researchers collected data from 1,000 companies that use one of Palo Alto’s firewall products. Over the course of three months, the researchers discovered more than 26,000 pieces of malware present on the companies’ networks that at the time were not identified in any malware database and therefore couldn’t be blocked by conventional antivirus software.

The failure of technical security controls to catch every threat is one reason companies often focus on IT security training to raise users’ awareness. Many attacks originate on users’ machines, so IT security training aims to get those people to recognize and avoid threats.

However, much of the stealth malware discovered by Palo Alto’s research would likely not have been stopped by any user, regardless of how adept they were at avoiding IT security threats. For example, just a small percentage of the viruses found came in through email. Users are frequently warned to avoid opening suspicious attachments since they could be malicious.

The majority (90%) of the undetected viruses entered the companies’ networks through web browsing, and often by embedding malware on legitimate sites. The bottom line: Telling users to avoid suspicious parts of the Internet won’t prevent all attacks. In fact, the biggest chunk of malware infections come from third-party content on otherwise benign sites, according to research from Cisco.

Is IT security training effective?

Given how hard it is to actually stop those attacks, what role does IT security training play in protecting companies’ data? Some experts say it should have no place at all and security awareness training is a waste of time. For example, that was the argument made by Dave Aitel, CEO of security firm Immunity, Inc., in a controversial blog post last year.

However, most security experts stress the importance of a balanced mix of user awareness and diversified technical controls.

What do you think — is IT security training a waste of time? What has your organization done to improve training? Share your opinion and experiences in the comments section below.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy