According to The Verizon Data Breach Investigations Report which analyzed data from 1,367 breaches and 63,437 security incidents in 2013, the majority of the breaches last year were caused due to basic lapses in security. Examples include employee mistakes, the use of weak and default passwords, system configuration issues and inadequate system monitoring. All of which could be addressed by appropriate security awareness training.
By now, we are all well aware of the notorious Target security breach. Other large retailers breached in 2013 include Spec’s (550,000 credit cards), Neiman Marcus (350,000 credit cards), Michaels (2.6 Million Credit Cards) and Aaron Brothers (400,000 Cards), to name a few of the more well-known retailers. Though the Target breach heard around the world is now a thing of the past, repercussions are still being felt by consumers and security professionals. As it turns out, the biggest lesson learned from the Target breach is that even the best security technology will not prevent security incidents if there is insufficient training provided to IT staff on incident response (how to deal with a breach during and immediately after).
An article by Bloomberg Business week reported that Target had one of the most advanced malware detection systems in place, easily detecting the hack. However, and insufficiently trained IT staff were unable or unprepared to act in time to stop the credit card data from leaving the network, resulting in one of the largest retail credit card hacks in recent history.
Companies need to understand the importance of security training, and allocate an annual budget for training. Comprehensive security courses are available and taught by industry experts and are available both onsite and online. From personal experience, the onsite ones have a better ROI, as they ensure the attendees are focused on the content and not multi-tasking while online videos are running on their systems in the background.
Hands-on security training WILL enable your IT team to respond quickly and appropriately to security incidents in the event that they were unable to prevent them from occurring. For example, if you’re IT staff cannot prevent 100% of malware from entering your network, your incident response training will prepare them to respond appropriately to the incident once it has occurred.
Security Training should typically cover topics like Application Security, Mobile Apps Security, IT Infrastructure Security, and End User Security Training to name just a few. Most often, If a business has a lot of home-grown applications, security training must occur at the application development level. For example, application programmers should be taught how to code applications securely from the ground up. It is very difficult and cumbersome to make improvements or corrections after an application or program has been developed and is already being used by a business unit to store financial data or Intellectual Property.
In closing, security awareness training is not a one-time thing. Just as the threat landscape keeps changing, our security awareness training also needs to evolve. The best program will have a recurring annual component to it.