Many successful ransomware/other malware attacks share two characteristics. One is that they gain access to an enterprise network because a legitimate, authorized user does something they shouldn’t. Such as opening a phishing email, clicking on a bogus web link, or falling victim to credential theft. The other is that they initiate or revive a spirited discussion of the value of user education to cybersecurity efforts.
Whenever that subject comes up, I’m reminded of something my sainted mother used to say. “Where you stand often depends on where you sit.”
- At the 2017 Black Hat conference, cybersecurity solutions vendor Thycotic surveyed more than 250 hackers. As reported by BetaNews, those hackers called out “education/awareness” as “one of the least effective security protections.”
- User behavior intelligence solutions provider Dtex Systems recently announced its 2017 Threat Monitoring, Detection & Response Report. For that study, the company commissioned Crowd Research Partners to survey more than 400 cybersecurity professionals. “User training was identified as the leading method for combating insider threats, according to 57 percent of those surveyed.”
There are probably as many opinions about user education as there are cybersecurity professionals and hackers. So, to paraphrase the title of the oft-covered song written in 1931 by Florence Reece in support of striking Kentucky coal mine workers, which side should you be on?
User Education, By the Numbers
Fortunately, there are some numbers available that might help you to decide. As BetaNews reported, at the June 2017 BSides conference in London, Digital Guardian surveyed 187 cybersecurity professionals. Those respondents had some interesting things to say about insider threats, user education, and their bosses’ cybersecurity priorities.
- 92 percent “believe that the industry, as a whole, is far more concerned with defending against outsider threats than internal ones.”
- 71 percent “felt that businesses should be more concerned about the insider threat than they currently are.”
- “Almost half “feel that insider threats and uneducated users are actually the most overlooked security threat in enterprises today.”
- 91 percent “said that they felt that senior management in their business make poor decisions when it comes to security strategy and spending.”
In September 2016, Ponemon Institute published its 2016 Cost of Insider Threats study. That report, sponsored by Dtex Systems, is based on interviews with 280 IT and cybersecurity practitioners at 54 U.S. enterprises, each with 1,000 or more employees. Each of those enterprises experienced “one or more material events caused by an insider” during the 12 months immediately preceding the survey. Herewith, some figures derived from the 874 insider incidents experienced by all of the surveyed enterprises.
- Percentage of incidents caused by negligent employees or contractors: 68
- Percentage of incidents caused by “criminal insiders:” 22
- Percentage of incidents caused by credential theft: 10
- Average cost per negligent employee/contractor incident: $206,933
- Average cost per criminal insider incident: $347,130
- Average cost per credential theft incident: $493,093
- Total average cost of all insider incidents at each enterprise: $4.3 million
- Cost per incident for enterprises with 75,000 or more employees: $7.8 million
The study also found that “companies that have mandatory user training realize an average total cost at $4.0 million.” This is $300,000 lower than the overall average cost of $4.3 million, and $3.8 million less than the per-incident cost at large enterprises.
The Bottom Line: User Education is Worth It – If…
User education is not a panacea, and by itself will not protect your network or your enterprise adequately. During the past few years, there have been multiple, high-profile, worldwide malware attacks. These have generated much media coverage, and much attention to the issue of user education. Yet legitimate users continue to be successfully victimized by malefactors, and continue to make attack-enabling mistakes.
To deliver effective, multi-layered protection for your enterprise network, you need to engage and educate your users, to maximize their contributions to your cybersecurity. Here at Ivanti, our crack IT team occasionally sends out phishing emails, and rewards users who recognize them as such. Ivanti employees are subject to mandatory self-paced cybersecurity training mini-courses as well. These efforts help us all to keep our cybersecurity knowledge current, and remind us of how best to keep ourselves and our organization secure.
You must also augment those education efforts with comprehensive technologies that detect, isolate, disable, and remediate threats quickly and automatically. Your technologies must also ensure that your enterprise applications are protected, unauthorized code is forbidden, and critical data is backed up frequently and can be restored rapidly. And those technologies must be supported by processes that ensure regular testing and rapid, non-disruptive changes as they are needed. (See “Infected by Ransomware—Now What?”)
Your users are your enterprise cybersecurity’s weakest link. They are also your first line of defense. How well they play this latter role can be affected greatly by your enterprise’s willingness and ability to invest in their cybersecurity education, and to support that investment with effective technologies. (See “Three Things You Can Do Now to Increase User Contributions to Cybersecurity at Your Enterprise.”)
Ivanti Has the Technologies You Need
Ivanti cybersecurity solutions provide the firm foundation your enterprise needs to support and enable your users and your efforts to maximize their contributions to your enterprise’s security. Fight ransomware and malware. Manage patching of your endpoints and servers. Control user applications, devices, and admin rights. And through September, get combinations of select Ivanti solutions at discounts of up to 30 percent. Visit us online or contact us today, and let us help you improve cybersecurity for your users and your enterprise.