Page 56 - Cyber Defense eMagazine - September 2017
P. 56
End User Security Education
Why Cybersecurity Education for Employees is so important
by Lawrence H King, Application Analyst, Northwestern Medical Center
An organization is only as strong as the weakest link in its cybersecurity chain. Many
businesses spend a large amount of money on software, hardware, and services to help
prevent cyber-attacks but forget about end user training. As attackers look for new ways to get
around the technology they find that engaging the end user is easier than trying to find holes in
the technology. It is important that an organization take measures to get all staff members up to
speed on the basics of cybersecurity.
The end user is usually the weakest link when it comes to cybersecurity and that is what
attackers are counting on. This is why phishing is such a popular technique for spreading
ransomware. The attackers are trying to get past the hardware, software, and trained technical
staff to your untrained non-technical staff hoping that they will be gullible enough to take the
bait. If your staff is not properly trained to recognize the risks your organizational data may be in
jeopardy.
A good end user security training program is an inexpensive way to enhance your security in
your organization, but it must be done properly. The information has to be given in a language
and at a technical level that everyone can understand. The courses must give the information to
the end users at a pace and in a time frame that is digestible. If the course is too long and the
information is too technical and too dry the staff members will lose interest. It is also important to
try to make the presentation a little bit fun to keep people engaged.
Some organizations forgo the end user security training because they feel that it takes too long,
that the end users will not care about or understand the content or that their end users are just
not smart enough to digest the information. Each one of these assumptions is false. There are
several ways to give the presentations to the end user. End users can be encouraged to
become part of the cybersecurity strategy if you explain to them why it is important to them and
the organization. If the information is given at the right level and avoids the use of technical
jargon, the end users will understand the information. If you are unsure about how to go about
putting an end user security program together SANS has a web site with information, a
PowerPoint slide show, and webcast to help teach you. You can find this information on their
web site. https://securingthehuman.sans.org/resources/planning
The information can be presented in several ways. It could be a printed or electronic document,
a video, or a live slide show presentation with a presenter. At my organization, we chose the
third option because we feel that this engages the audience a bit more. With the document or
video the audience does not get to ask questions or participate. It is also easy for them to skip
over parts or the whole thing all together and just say that they read or viewed the information.
Some organizations provide a small quiz to combat this, but in the end they still do not get a
chance to ask questions or discuss the issues. Each time I have presented this topic we have a
56 Cyber Defense eMagazine – September 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide.
