This article describes the importance of ongoing employee training to identify potential security threats, common methods of attack, using the Standards Library and Strategic Roadmap to perform ongoing assessments, generate extra NRR, and strengthen customer relationships.
In today’s IT environments productivity is necessary, uptime is essential, and security is critical. The latest hardware and software provide layers of protection in hopes of preventing cyber attacks. The newest technology causes most IT providers to forget the weakest link: the end user.
A typical user focuses on their job responsibilities without prioritizing security risks. A surprising amount of security breaches stem from users unknowingly granting administrative access or installing crypto-malware—all due to a lack of user security awareness and training.
This article aims to accomplish the following:
- Describe common security threats unknowingly activated by end users.
- Use the Standards Library to create a best practices template for end-user training.
- Configure recurring user training on the Strategic Roadmap to include in customer budgets.
- Increase NRR and strengthen customer relationships through security awareness and training.
Common Malicious Security Risks for End Users
Employees in all divisions within an organization are subject to malicious threats. Believe it or not, computer users are not the only asset regarded as a cybersecurity threat. Warehouse workers, receptionists, and delivery drivers are potential vulnerabilities. Security awareness and training are not intended for a specific group of users, but for the entire workforce.
Security breaches come in many forms: technical, physical, and administrative. Training employees in these areas reduces risks associated with data breaches, lowers active noise, builds a proactive service provider, and prevents lost productivity.
A baiting attack exploits a person’s curiosity. An attacker may leave a USB memory stick in the open—labeled ‘Confidential’ or ‘Payroll files’—to bait a user into plugging it into their computer. Attaching it to a PC would then activate malicious code or files with the intent of accessing company information.
Phishing attacks are the most common social engineering technique. Attackers use email, social media, or SMS to trick victims into divulging sensitive information or to direct the user to a malicious website to infect the user’s PC. Like baiting, phishing usually involves a method of attracting the user’s attention by leveraging their curiosity.
A spear-phishing attack is like a regular phishing attempt but targets a particular end user. This is usually accomplished by the attacker impersonating another employee—like a member of Human Resources—and requesting specific information.
A whaling attack uses sophisticated social engineering techniques to steal confidential or personal data. The information typically has a relevant value from an economic or commercial perspective. What distinguishes whaling from phishing is the target: an executive or heads of government agencies. The term "whaling" implies there is a bigger fish to capture.
Quid Pro Quo
A common tactic of a quid pro quo attack is calling a user while impersonating technical support. They attempt to befriend the user by fixing their issue in exchange for access to the user’s PC or other information. A user may unwillingly grant access to the individual because they assume they are calling from their service provider.
This type of attack is a simple and very common attempt at physically accessing a restricted area. An attacker may ‘piggyback’ an authorized employee, delivery person, or warehouse worker by waiting for someone to open the door and stepping through, avoiding security measures. These attacks are common in areas with many employees due to the constant exchange of employees in the restricted area.
Human Social Engineering
Gaining access to sensitive information and security questions is as simple as talking to another person. An attacker will befriend an employee, asking questions to drill down and divulge the data they need. A common example is gaining a user’s trust and having a conversation on topics like their choice of password. The attacker will steer the conversation towards their process of selecting a password and get the user to reciprocate.
Watch people on the street willingly give up their password:https://www.linkedin.com/feed/update/urn:li:activity:6462387207847186432
Best Practices Template with the Standards Library
Like other standards and best practices, user training and awareness is a recurring assessment. A one-off training session works for a specified period of time, but after 6 months or a year, users do not retain what they have learned. A best practice is keeping the momentum with ongoing training sessions.
In the example below, I used the Secure Control Framework (www.securecontrolsframework.com) to create a custom template around their ‘Security Awareness & Training’ domain. This is a simple illustration of how training implementation uses the Standards Library and that ongoing education is usable.
Using the Standards Library to track—and implement—user awareness training has benefits over checklists or spreadsheets.
- Cadence: Setting a reminder every few weeks or months forces the TAM or vCIO to address the issue of training. By doing this, it sets a rhythm for the client by getting it on the agenda and on the Strategic Roadmap.
- Review score: Creating a separate review for training and awareness provides its own score. Much like other reviews, the score assesses the completion rate, where training is falling short, and how to keep users on track.
- Reporting: When used as its own review, a vCIO is able to generate a report to review with a decision-maker. Keeping the top brass informed of their organization's progress is a major part of user training success.
Putting a training plan in the Standards Library is the same as several other best practices. The trick is creating the right training modules for the correct audience. Some coaching focuses on specific industries while others are more general. Cybersecurity awareness and training are suitable for all organizations dealing with sensitive electronic information.
Use Findings to Justify Recommendations
After the TAM completes their portion of the Alignment Review, the vCIO handles the remainder. Standards marked as aligned are typically left alone while those not aligned require attention. Misaligned standards are dealt with one of two ways: they show on the review as misaligned and require attention or converted into Findings for the Strategic Roadmap.
Findings provide an additional layer of reinforcement to Strategic Roadmap recommendations. For example, the Strategic Roadmap feature in myITprocess allows for numerous Initiatives, that is, a top-tier strategic component for customer strategy.
During the vCIO Review stage, the option to “Add to Strategy” is present. Using this feature allows a vCIO to assign Findings to individual Initiatives they want to present to their clients. The more evidence of misaligned standards to apply to a recommendation, the better.
Strategic Roadmap showing Unassigned Findings.
Related Article: Adding Findings to the Strategic Roadmap
Related Article: Nest Unassigned Findings into an Initiative
Add Training to the Strategic Roadmap
As an overlooked asset, user training cannot be one and done. It must recur on a set schedule, either voluntarily or by mandate (HIPAA, NIST). A vCIO uses the Strategic Roadmap feature in myITprocess to schedule recommendations from TAM findings. A TAM should immediately make the recommendation for training when they notice a pattern in user behavior. If standards related to user activity do not align after many reviews, it is best to say training is essential.
How can a service provider and client benefit from the Strategic Roadmap?
- Persistence: A vCIO can reiterate the importance of user training and awareness at every meeting. Some clients have a hard time committing to recommendations, but constant reminders aids in the approval process.
- Budgeting: A great feature of the Roadmap is adding recommendations to the estimated expenditures for the year. Much like other implementation costs, user training appends like any other item and included in the budget.
- Strategic Roadmap Report: This feature generates a condensed view of the roadmap to put in front of a decision-maker. It is a great tool for keeping recommendations clean, presentable, and having user training listed with other recommendation.
- Leverage: By including security awareness training on the Roadmap, a vCIO is leveraging the liabilities of a decision-maker. User training—and frequent training—is required under many regulatory, statutory, and contractual compliance requirements. A decision-maker who declines to enforce user training is, in turn, non-compliant.
The Recommendations section above is an example from the Strategic Roadmap Report. In essence, adding it to the Roadmap keeps the topic persistent for every client meeting. Constant reminders of the importance, cost, and time commitment are present on every report. Moving a recommendation to future quarters is a great feature. When a recommendation is on hold, moving to the next meeting shows the vCIO is a strong advocate of user training.
Benefits of User Training
User training provides other benefits to the service provider when implemented regularly. Cybersecurity awareness is important and working with clients that trust their vCIO strengthens the strategic relationship.
- Implementing a recurring training program creates a steady flow of Non-Recurring Revenue (NRR). Training sessions have the potential to generate one or two revenue projects per year. A Technology Service Provider not prioritizing user training is a surprise, to be sure, but an unwelcome one.
- Training strengthens and reinforces the strategic relationship. When a customer trusts their IT service provider, they are more willing to accept recommendations. Strong connections do not see expenditures as a sales pitch or revenue-generating scheme, but as a partner concerned for their best interests.
- Users who identify threats and resolve minor issues on their own reduce tickets which in turn reduces Reactive Hours per Endpoint per Month (RHEM). A self-sufficient customer—even if eliminating a handful of tickets per month—is a great boost to efficiency. The reduction of RHEM leads to a reduction in tickets and leads to an increase in margins.
At the end of the process, security awareness and user training benefit the service provider and client. There is no reason to deny a customer the knowledge of preventing their own issues. Users who can sustain themselves are much more productive, efficient, and better customers in the long run.