Getting Users Committed to Security: Simple tips to increase user interest and commitment around common threats to their system


Posted on by Jack Danahy

Users are vulnerable to clever malware campaigns and social engineering, making them a common first link in the attack chain. Even in major breaches and ransomware attacks affecting multiple systems or sizable organizations, the entry point is usually created by a single mistake made by some unwitting user. These mistakes are also a meaningful distraction for IT teams, as more than 50% of the clean-up requests require IT focus ASAP, according to a recent survey Barkly conducted. Everyone knows that user awareness is important, but many companies can’t invest time or resources in formal training and testing. For those that can’t, or that are looking to do something more, here are some quick tactics to raise user interest and commitment around common threats to their systems: 

Keep a Secret

With the volume of public reporting on stolen emails and embarrassing disclosures, users know that some breaches can result in very uncomfortable situations. Help them to also understand the responsibility they hold for secrets that others have shared with them. New forms of ransomware, like Jigsaw and Chimera, include the thread of public disclosure to the usual loss of data; thus, users should be made aware that private files, messages and images sent to them, as well as customer, partner, and coworker information, may be exposed if they allow themselves to be duped. 

Keep it Real

Not every organization provides all the commercial software that every user may want, and not every user is willing to pay for all the software they need. As a result, there is a large and growing supply of pirated and counterfeit software in use. Beyond the obvious licensing violations involved, this stolen or counterfeit code also produces significant security risks. In a 2014 forecast of enterprise losses from malware in counterfeit software, Microsoft estimated that “Enterprises will spend $127B in dealing with security issues because of malware associated with pirated software” and that worldwide, 27% of users installed their own software on their company computers. Make sure you share this information with your users. Installing unvetted software may or may not be against company policy, but having that activity exposed because of a spreading malware infection will always be a problem. 

Keep Up to Date and on Guard

Plenty of malware infections happen without any misbehavior on the part of the user victim. Drive-by downloads can happen from innocuous links to legitimate sites, as can malvertising campaigns delivered through authentic ad networks. In March, mainstream content provider sites like the New York Times, the BBC, and the NFL, were all made into unwilling malware distributors through exploits and malware when hosted advertisement networks served up ads that redirected user browsers to exploit kit sites. To help your users avoid these threats, explain these attacks and how they work. In most cases, since the malware relies heavily on exploiting application vulnerabilities, you can use the opportunity to reaffirm the need for staying up to date on software versions, and to give them specific direction for what to do if they ever get hit. 

For you? Keep it Simple.

Users need to understand how important they are in protecting their own privacy and the stability and privacy of their customers and employers. A recent survey we conducted found that more than 30% of respondents believed “Users will click on anything that has a hyperlink, like rats in a Skinner box,” but that can change. Let them know any of these attacks can have a range of dangerous effects, from public disclosure, to disruption of service, to outright destruction of critical data and systems, and that small efforts on their part can eliminate large embarrassments and damage later. They are responsible for more than simple data privacy, they are at the center of the organization’s defense.


Contributors
Jack Danahy

Co-Founder and CTO, Barkly

Privacy

anti-malware privacy

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs