Annual security awareness training is important, but is it really enough? The acceleration of digital transformation coupled with remote working environments has undoubtedly increased the attack vector for the modern business. So, objectively I would say no, it is not enough. Especially when you also consider most training sessions are not very captivating or engaging. I’m sure we’re all guilty of clicking the ‘play’ button on the training videos and quickly pivoting to multitask other projects. When the quiz pops up you do your best to pass it with the minimum score; and if you don’t on the first try, you likely have a number of additional attempts to get through it.
There is certainly value in educating business users the basics of not not falling victim to a phishing campaign, being subjected to social engineering or other tactics that provide an initial foothold for attackers. But like anything that is performed once a year and then never again, compliance-based security awareness training only moves the needle so much. Gamification techniques will help improve engagement, but that is also limited in terms of impact. I think it's also fair to say that most business users do not want to participate in training more than they currently have to as well. A simple equation to consider in helping to improve the approach to security training:
It should be more about creating a culture around cybersecurity as opposed to just “checking the box.” Cybersecurity teams are trying to close the gap between the security goals of the company and business enablement without being a burden. Oftentimes employees are fearful of the IT team because they think when they fail security awareness training or phishing campaigns they will "be in trouble" instead of trying to become better educated and learn best practices. Ongoing engagement with business users is a great way to complement your annual security training program.
DoControl’s approach to improved security mindedness through ongoing engagement is pretty simple. At DoControl, we are hyper focused on protecting cloud-hosted data. When you look at the Software as a Service (SaaS) applications that are leveraged by businesses today, one of their primary objectives is to help drive business enablement. While these applications are secure to some extent (i.e. the shared responsibility model in the cloud), the security in terms of how the service is consumed falls entirely on the consumer. Business users are people – who are all prone to human error (some groups and domains undoubtedly worse than others). So, the logical step here is to wrap controls around the users and the applications that they have access to.
So how does it work? For organization’s leveraging Slack, Microsoft Teams, or good ole’ fashioned email, business users can be notified on policy violations – or – to approve file sharing where the action might present a higher level of risk. For example, someone from the finance department is sharing a file in Google Drive with an unapproved external 3rd party vendor via a Slack channel. In this instance the file contains Personally Identifiable Information (PII) which should not be exposed to this vendor. The Security team created a data access control policy that will automatically remove the file that contains PII from the channel, and then notify the individual actor that it has been removed.
Let’s say that someone on the Marketing team shares a potentially sensitive file with a private email account. Let’s assume that in this example, this workflow presents ‘medium’ risk-level so we want to have the actor approve the file share. If the user does not approve it, we can automatically remove the file, or reroute an approval process to their manager, and if they don’t approve it then we remove the share. Since this is a medium risk-level action, we might want to wait 30 days and re-engage with this user to potentially revoke access, or re-approve the sharing of the file altogether. All of these notification and remediation steps are fully customizable to strike the appropriate balance of security and business enablement.
By engaging with business users in an ongoing fashion, you will inherently improve the security mindedness of the individual, making them more aware of the file sharing practices. One thing to strongly consider here, is that those business users do not get flooded with approval notifications. There needs to be a balance between enabling business users to do their jobs without too many security hoops to jump through; otherwise they will always look to bypass security as a means to make their day-to-day activities easier. DoControl partners with organizations pursuing a cloud-first strategy, that way they can drive their business forward in a secure way. Request a solution demonstration and let us show you the value of our No-Code SaaS Security Platform today.