Security Education – Sorry, how many chances do I get to pass the test?
The premise of security education comes down to one major component; getting employees to stop doing things that come naturally.
Employees were never employed with a ‘Security First’ mentally, unless you are a security analyst, which would account for only about 2-3% of roles. Individuals choose a career that will allow them to master their trade. Unfortunately, the digital era, where data has become the most valuable asset that businesses utilise to sustain and grow their businesses, has meant that the acquisition of such data is now as valuable as the currency that increases their profitability.
Education is a gradual (remember this word) process which brings positive changes in the human life and behaviour. We can also define education as “a process of acquiring knowledge through study or imparting the knowledge by way of instructions or some other practical procedure”.
Related to security education, the majority of employee security education comes under the heading of ‘Formal education or formal learning’. Formal education can take place in the workplace, where classroom or computer-based training (CBT) can be undertaken where an employee will learn the basics of security protocols and how to apply them to their working practices. Typical CBT training provides the employee with the ability to learn [at the terminal] and have multiple attempts to get things right. This type of education is deemed by employees as instantaneous. The only acceptance is an immediate ‘Pass’ for the course, and for the employee to have adjusted their attitude and behaviour to security protection.
Humans are naturally fallible. People can be easy to trick
As mentioned previously, data is the most valuable asset that organisations retain in their business. The varied types of data have increased exponentially over the past decade, where individuals will now have access to gigabytes or terabytes via their software applications. This also means that the employee can dramatically affect the impact on their company via a simple swipe or click on their keyboard.
Humans are naturally fallible. People can be easy to trick. They forward emails with infected attachments (as was the case with Wannacry), click links to dubious websites and unwittingly grant fraudsters access to their email and systems. Humans are not stupid, many are simply WIMP’s (Well Intentioned and Meaningful People). They believe that what they are doing is correct or helping to complete a function. Remember, humans don’t know what they don’t know!
Adjacent to the increased collection and creation of data, exists the cyber actors who have greater focused resources targeted at breaching the organisations security tools and extracting either directly from data stores or indirectly by having employees send or remove the ‘golden’ data that the actors treat as commercial currency.
So how can we challenge the ‘gradual learning process’ of security education that today’s technology advancements and cyber actors do not give employees the opportunity to apply?
Take the responsibility out of the hands of the human/individual
At Gospel we do exactly that.
Gospel’s Enterprise Secure Data Platform provides the level of security protection at the ‘Data Layer’. Our private permissioned architecture never allows the employee to access data they should not be seeking or pass organisation/user data to individuals or organisations that should not be in receipt of this most valuable asset. Gospel does not work on the basis that one error (as accepted in CBT training) is acceptable, as that error could compromise the entire company or at worse personally identifiable information.
Does this mean you do not need to educate the employee? NO!
Everyone needs to be educated, it’s how we grow as individuals. But the security education should be cognitive and, on the job, allowing the employee to see how the technology stops data breaches and data mistakes. This way the WIMPs can still outperform their roles, but with the knowledge that the data is protecting them.