By Chris Hill
October is National Cybersecurity Awareness month, so I have a question: When was the last time you changed your password?
Typically, users will not change their passwords unless password policies are enforced. Not only that, but nearly three-quarters of users use the same password on multiple sites both at work and on personal accounts.
Passwords are often hard to remember, obviously, so the human element is to use and reuse, but one alternative to consider is a Passphrase. NIST explains a Passphrase as the following:
- A passphrase is a memorized secret consisting of a sequence of words or other text that a claimant uses to authenticate their identity. A passphrase is similar to a password in usage but is generally longer for added security.
- An example of a Passphrase would be “ ColdPizzaisgreatforBreakfast” or “Iprefermycoffeewithcreamer”
Organizations with strong password (or passprhrase) polices and multifactor authentication enabled are most certainly ahead of the game, but the human behaviors can present serious security challenges. Luckily there is a way that’s proven to change human behaviors: Security Awareness Training.
Security Awareness Training is the process of providing formal cybersecurity education to your workforce about a variety of information security threats and your company’s policies and procedures for addressing them.
Unfortunately, Security Awareness Training is often overlooked because management chooses not to offer it and users choose not to participate. Some reasons that this happens include budget, the maturity of the security program, and just lack of interest. In some cases, organizations just overlook the importance and effectiveness of a good training program.
Security Awareness Training is vital, though, because every user who is on your network is part of the security posture and, like your IT staff, users must also be aware of threats that could lead to a security event.
Attackers are human and by nature all humans prefer the path of least resistance, and in the eyes of the attacker phishing is that path and your users are the target. With automation and other tools, attackers can flood multiple organizations with the multiple messages all with the same intent, getting your information. Phishing campaigns such as this are trying to exploit your users’ credential, install malware or even worse ransomware. If your users are not properly trained and prepared to identify these campaigns, your organization’s worst day could start with a “click”.
As I wrote on this blog last year, security training can dramatically improve your organization’s chance to survive these attacks by educating your users on what to look for or who to contact in the event of receiving a malicious message.
Along with training users against phishing, Security Awareness Training programs can and should focus on your organization’s security posture. Keeping the content fresh and targeted to your audience with be the best way to ensure success. Also be sure to tailor the program to the groups in your organization; talking about security in healthcare isn’t effective in training your logistics team.
Now, how do you get users to attend training and, more importantly, follow security guidelines? One way is to simply mandate compliance by including training in each employee’s performance standards. Another way is to track training attendance and follow up with users who fail to attend.
If you prefer a less authoritarian approach, you could always add some gamification. Reward users who attend training and also report malicious activity. The reward can be monetary like Sonic gift cards, because who doesn’t like a Sonic burger?
The Security team at LRS IT Solutions can help you with your Security Awareness Training program and other security issues. Just fill out the form below for a free consultation.
About the author
Chris Hill serves as our Security Practice Leader. Chris has more than 24 years of business and professional experience in IT and holds a Bachelor of Science degree in Electrical and Electronics Engineering.