Your Security Posture is Only as Good as Your Security Awareness

Posted on by Tony Bradley

Everyone knows they’re not supposed to open file attachments or click on links in unsolicited emails, right? At this stage in the game after all those headlines, it’s tempting to assume everyone has gotten the memo. Everyone exercises a healthy dose of cautious skepticism when online. Wrong.

The average user is definitely better educated about security risks and potential threats than he or she was a few years ago, but attackers are agile and prolific. Innovative new exploits and attack vectors emerge all the time and it’s unreasonable to expect users to be invested enough to stay on top of emerging threats on their own or savvy enough to detect and avoid potential attacks.

Spread the Word
Security is a culture—a way of life. It isn’t a tool you can deploy. It isn’t a point in time. You don’t just deploy some software and conduct a user training session to check off some boxes and then you’re done. The cyber criminals aren’t going to stop coming up with new exploits and attacks so you don’t get to stop actively protecting your network and endpoints. That means you have to keep up with security awareness for users, too.

Even users who’ve been taught and understand security best practices are not always on guard. They have their own lives and jobs to worry about, and keeping up with the latest security concerns is simply not on their radar. That’s why it’s imperative that you continuously spread the word.

Some spam or phishing attacks are so poorly constructed that anyone with an IQ higher than a donut should be able to recognize that they’re not legitimate. There are some attacks, however, that are much more sophisticate and extremely convincing. Even some that aren’t completely convincing are still good enough to catch someone off guard. And the attacker just needs one person to have an off-day.

If you’re one of the first organizations in the world to be targeted by a more sophisticated phishing or spear-phishing attack there may not be much you can tell users beforehand. But if you know about ongoing campaigns, just informing your users what those attacks look like would help towards defending your network. Attacks generally have identifiable elements, or indicators, that you can share with your users so they know what to watch out for.

For example, phishing attacks and ransomware exploits typically utilize specific wording as bait to trick unsuspecting users. The trick to ensuring your organization isn’t crippled by such an attack is to make sure your users are not “unsuspecting”. Communicate with your users to let them know what the current or emerging threats look like so they’re prepare to recognize and avoid those threats.

Be Realistic
Sure it would be nice if every user could just remember and apply security best practices in every instance. It would be great if all of your users had enough security savvy and common sense to avoid new threats without needing to have their hands held. Unfortunately, that just isn’t a very realistic expectation in the real world.

Make sure that the threats your users are most likely to encounter today are fresh in their minds so they’ll recognize them more easily and think twice about clicking on links or opening file attachments. If you communicate consistently with users to keep them informed about emerging threats and techniques you will have a significantly better security posture.

Tony Bradley


Business Perspectives

security awareness security operations

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs