10 Security Training Imperatives — Because Tools Alone Can't Protect You

Gabe Gambill

By Gabe Gambill, VP of Product, Technical Operations, Quorum

Here’s what people get right about security breaches: They’re rampant, cleverly executed and destructive. IT leaders know that cyber criminals are skilled enough to steal their companies’ sensitive data and tarnish their brand reputations.

Now here’s what people get wrong about security breaches: That safety lies in network security and a fortress of monitoring and detection tools.

Don’t get me wrong — prevention tools are useful and needed, but more spending doesn’t equal better security. An intelligent security program involves both technology and people. The uncomfortable fact is that your customers’ greatest threat isn’t always outside the company; sometimes it’s their own workforce that brings about a security disaster through human error, gullibility or simple lack of training. A recent CompTIA report shows the primary cause of breaches is typically human error (58 percent) versus technology error (42 percent).

Complexity and Con Artists: Educating The Team

Workers are busy and distracted. As they’re multi-tasking, they can easily click on a suspicious link, fall for a phishing email or download an unapproved app. And in that one mistake, an entire organization can plunge into a ransomware nightmare or CEO fraud that costs millions. This doesn’t mean employees are gullible — it means that criminals are sophisticated. Spoofed email addresses can persuasively imitate a real leader’s. Requests for information can indicate a level of inside knowledge about the company. The only way to fortify against this kind of mistake is a good training program. And, these programs are an excellent managed security services offering for partners.

Another factor increasing the odds of employee mistakes: complexity. For each customer, ask: How high is your tech stack? How many different solutions do employees need to master, and how do those solutions impact one another? How many security policies and controls are in place?

A few instructions here and there usually won’t cut it. Let’s say a company has a strict wire transfer policy requiring multiple authorizations, mandatory delays and a carefully designated multi-step process, all aimed at stopping fraudulent requests for financial transfers, which are increasing. Those are wise strategies, but if a new executive assistant receives a fake request from a CFO and isn’t trained on those policies, the transfer could go through anyhow.

The amount of training investments is a measure of security strength. So here are 10 ways …

… you can tighten up the security gaps in your workforce and help customers do the same:

1. Emphasize the personal value of security training. The business value of security is clear. Now, make sure employees see training as more than a boring obligation. Criminals use many of the same methods for business and personal PC attacks, which means training can save employees from stolen photos or identity theft. By emphasizing the personal stakes, you can motivate staff to be attentive and committed.

2. Eliminate basic process errors. Teammates sharing passwords, administrators failing to delete former employee privileges, and employees using unsecured personal devices for company data are more common than we want to admit. The more of these bad habits you can banish, the safer you’ll be.

3. Remember to include third-party contractors, vendors and even customers. Think beyond your employees. Who has the power to let a criminal into your network? Any users who could open a door to a malicious actor need some level of security training.

4. Get other teams involved. To implement an effective security training program, you might need HR’s endorsement or the marketing team’s promotion. See if you can promote tips in the employee newsletter or put up break-room posters of typical spam emails. Maybe you can get budget for a lunch and learn. The idea is to foster a culture of security .

5. Let employees learn from their own mistakes. New training programs can simulate phishing attacks and other scams to see which many staff members fall for them. We’ve all heard of people inserting random USB keys they found on the ground. Just take steps to keep it positive so employees don’t feel they’ve been duped by their own company.

6. Provide real examples of crime. Your team will benefit from seeing actual fake Paypal emails, spoofed domains, CEO fraud requests and attachments carrying malware. Point out red flags like grammatical errors and small changes in the company design or language; expedited turnaround requests are another alarm, since attackers will want employees to quickly comply with their requests before checking with someone else.

7. Identify and train high-risk targets. Executive assistants, senior leaders and financial and HR teams can all be attractive to criminals looking to scam an inside employee. Just a few minutes on LinkedIn can show who has the power to share sensitive data or transfer electronic funds. Train them and the people they work with to recognize possible impostors and suspicious requests.

8. Rehearse and confirm your disaster-recovery plan. If an employee does open the door to an attacker, your recovery speed will determine how bad the damage gets — and if you need to pay off ransomware attackers. Test everyone to see if they understand their roles and responsibilities. Also check if the team is …

… backing up your servers properly and saving isolated copies. If your backups aren’t being created, tested and protected correctly, you won’t be able to recover quickly.

9. Ensure the IT team has mastered basic security controls. These range from simple email filters and permission levels to using tools for two-factor authentication, IP white lists and blacklists, and monitoring logs. Often leaders will invest in the right tools but the teams won’t use them; some of the biggest breaches in history resulted from employees failing to follow up on anomaly alerts, for instance.

10. Train staff how to staunch an attack. Damage control is everything after an attack. Find out if your team understands how to close down the attack vector, kill malware and recover hacked apps and accounts. If not, train them. If you don’t have the bench for that kind of cleanup and control – and many don’t, though there are ways around the skills shortage – find outside security specialists who can step in if you or a customer need help.

Gabe Gambill is vice president of product and technical operations at Quorum and is responsible for product direction and road map for Quorum, including the Quorum cloud and technical infrastructure. He has more than 20 years of experience in full IT and disaster recovery services for global organizations. At Quorum, Gabe has led several roles from operations, to manufacturing, and technical support, and was instrumental in opening operations in the U.K., Europe, and the rest of the world.