Reducing Cyber Risk – User Education and Awareness
Unfortunately, the use of a business’s IT by its users brings with it various risks. As such it is essential for all staff to be aware of their personal security responsibilities and the need to also comply with corporate security policies.
This can be achieved through regular security training and awareness programmes designed to increase the levels of security expertise and knowledge across the organisation as well as developing a security-conscious culture.
What is the risk?
Organisations that do not produce user security policies or train their users in good
security practices will be vulnerable to many of the following risks:
Unacceptable use Without a clear policy on what is considered to be acceptable, certain actions by users may contravene good security practice and could lead to the compromise of personal or sensitive commercial information that could result in legal or regulatory sanctions and reputational damage
Removable media and personally owned devices Unless it is clearly set out in policy and regularly communicated, staff may consider it acceptable to use their own removable media or connect their personal devices to the corporate infrastructure. This could potentially lead to the import of malware and the compromise of personal or sensitive commercial information
Legal and regulatory sanction If users are not aware of any special handling or the reporting requirements for particular classes of sensitive information the organisation may be subject to legal and regulatory sanctions
Incident reporting If users do not report incidents promptly the impact of any incident could be compounded
Security Operating Procedures If users are not trained in the secure use of their organisation’s ICT systems or the functions of a security control, they may accidentally misuse the system, potentially compromising a security control and the confidentiality, integrity and availability of the information held on the system
External attack Users remain the weakest link in the security chain and they will always be a primary focus for a range of attacks (phishing, social engineering, etc.) because, when compared to a technical attack, there is a greater likelihood of success and the attacks are cheaper to mount. In many instances, a successful attack only requires one user to divulge a logon credential or open an email with malicious content
Insider threat A significant change in an employee’s personal situation could make them vulnerable to coercion and they may release personal or sensitive commercial information to others. Dissatisfied users may try to abuse their system level privileges or coerce other users, to gain access to information or systems to which they are not authorised. Equally, they may attempt to steal or physically deface computer resources
How can the risk be managed?
Promote an incident reporting culture
The organisation should enable a security culture that empowers staff to voice their concerns about poor security practices and security incidents to senior managers, without fear of recrimination.
Support the formal assessment of Information Assurance (IA) skills
Staff in security roles should be encouraged to develop and formally validate their IA skills through enrolment on a recognised certification scheme for IA Professionals. Some security related roles such as system administrators, incident management team members and forensic investigators will require specialist training.
Establish a staff induction process
New users (including contractors and third party users) should be made aware of their personal responsibility to comply with the corporate security policies as part of the induction process. The terms and conditions for their employment (contracts for contractors and third party users) must be formally acknowledged and retained to support any subsequent disciplinary action. Ideally, the initial user registration process should also be linked to the organisation’s technical access controls.
Produce a user security policy
The organisation should develop and produce a user security policy (as part of their overarching corporate security policy) that covers acceptable use. Security procedures for all ICT systems should be produced that are appropriate and relevant to all business roles and processes.
Maintain user awareness of the cyber risks faced by the organisation
Without exception, all users should receive regular refresher training on the cyber risks to the organisation and to them as both employees and individuals.
Monitor the effectiveness of security training
Establish mechanisms to test the effectiveness and value of the security training provided to all staff. This should be done through formal feedback and potentially by including questions in the staff survey on security training and the organisation’s security culture. Those areas that regularly feature in security reports or achieve the lowest feedback ratings should be targeted for remedial action.
Establish a formal disciplinary process
All staff should be made aware that any abuse of the organisation’s security policies will result in disciplinary action being taken against them.