InfoWorld - Security Adviser: The most important security question to ask users

You have several options for improving corporate security, but user education is a crucial measure, and it all comes down to one point

By Roger A. Grimes
Oct 13, 2015

Most organizations don’t do enough to educate users about computer security. The main purpose of user education programs is to decrease human-factor risk substantially. If they don’t accomplish that, the whole exercise is a waste of resources.

Such programs, if they exist at all, consist of a sort of security orientation program for new employees, with an annual update and refresher course lasting 15 minutes to an hour. Occasionally, you’ll see an in-house security newsletter and/or periodic Web posts that employees might read on a slow workday.

Basically, we’re talking 30 to 90 minutes (on the high end) of security education for the entire year. Many companies have nothing -- at least nothing formal.

This lack of commitment is strange, considering the overall effectiveness of user education to stop employees from doing stupid stuff. In my opinion, doubling, tripling, or even quadrupling security education requirements and budgets should happen immediately in most organizations.

Why? Because the most prevalent, successful threats rely on social engineering, one way or another. That could be a phishing email, a rogue link, or an offer of a free download that pops up on a trusted website. In rare instances, it’s a physical phone call asking for credentials to be reset or for the person to install “needed” diagnostics software to remove malware.

The fastest and cheapest bang for your buck is user education training to counteract those threats. Unfortunately, such programs tend to focus on scenarios users will never face -- or were prevalent 10 years ago. Certainly, most education programs fail to cover the malicious tactics an organization is fighting at a given time.

Click the URL above to read the full article