We all make mistakes. Mistakes are a huge part of how we learn. For corporate security, the human factor is your biggest problem. Offices, computers, communication systems, etc can all be locked down as tight as possible and, still, one careless action can bring it all crashing down.
Human error is the main cause of the majority of security breaches. This can be any number of actions – opening an email attachment from an unknown source, using weak passwords or reusing the same password for multiple accounts, leaving a laptop unlocked at a coffee shop while you run to grab your order. This list is endless.
There are a few basic factors that allow human errors within the security model to occur:
Poorly defined, poorly implemented, or poorly enforced security policies will eventually catch up to you. You can usually count on users to take the path of least resistance – even if it means violating established security policy. A balance must be found between policies that are demonstrably beneficial and policies that are overkill and end up just getting in the way.
Errors only occur when they can occur. This applies to everything from physical infrastructure to operations to communications. Well-defined processes result in better security and reliability all around. You can’t remove all opportunities for error but clear processes and procedures can reduce those opportunities to a manageable level.
Lack of Knowledge/Awareness
Many errors result from the user simply not knowing what the correct action is for a given situation. You cannot simply expect users to understand what good security practices are and what bad security practices are.
So what’s the solution? Obviously, you need skilled technical and operations staff to handle common security issues but, more importantly, quality training is paramount. Users are your last line of defense.
Some simple tips for designing a good security program for your team:
- Everyone attends training sessions. No one is exempt, ever.
- Any training program must be all-encompassing. There is nothing related to security that can be skipped.
- Training must be continuous. Humans tend to forget things when they are not reminded of them. Annual video trainings to “check the box” simply won’t do these days.
- Ensure users understand that all questions are welcomed – the more the better. The last thing you want is for the user to make an uninformed decision.
- Make it real. Conduct regular security exercises and use those results in future training sessions to show what was handled correctly or incorrectly and why.
Security is not static – it is constantly changing and new threats arise daily. Your policies and training programs must adapt as well.
~ Joe H.