TEST to main content First level navigation Menu
human-element-of-security

Why IT leaders must start considering the human element of security

by ​David Levine
 
Businesses are budgeting too much for technology and not enough in their greatest security asset: their people.

What’s your best defense against security threats?

Is it two-factor authentication? Next-generation firewalls? A robust, easy-to-access VPN?

Actually, none of the above. While these are all excellent tools to protect your critical business information, your best defense is also your first line of defense: the humble end-user. And when constructing your overall InfoSec strategy, you must consider the human element of security, before your biggest security asset becomes your biggest liability. In this post, we will discuss the importance of engaging your workforce in your security strategy, and how to effectively do so.

​Businesses are budgeting too much for technology and not enough in their greatest security asset: their people.

In today’s new world of work, the latest and greatest security tools get a lot of talk, and IT managers have generally been given quite a bit of budget to implement these tools and bolster their security posture. With the amount of ink that high-profile breaches have had in the media, security issues have risen to the forefront for many businesses, and this vigilance is definitely a good thing. But from what I’ve seen, many businesses are not using that budget as effectively as they could.

If you go back and take a look at the causes of these data breaches, it’s almost never the crazy, never-seen-before tactics that cause issues. Instead, attackers are able to take advantage of long-standing exploits that companies didn’t patch effectively, or issues that they didn’t solve with end-user training. And these attacks are getting more sophisticated.

Here at Ricoh, we’ve invested a lot in end-user training to help protect against phishing and social engineering threats, and we’ve seen our fair share. One such attack that is fairly common today, came from a caller who claimed to be from Microsoft, wanting to check on the health of the employee’s computer under the guise of having detected a virus. Of course, if the employee had allowed them to access their computer, the attackers would have been able to infiltrate the network. This attack failed, as did attempts at financial fraud, and phishing emails that imitated correspondence from legitimate websites, even going so far as creating a phony website identical to the original.

We’ve been able to protect against these and many other threats so far — not because of any specialized tool or new technology, but through strong end-user training and education.
 

Security is everyone’s responsibility

End users are your first line of defense for your network. After all, you can spend millions on technology, but if you can’t protect against a simple phishing email, all of your preparations will have been for nothing.

Talking to end users about security can be challenging, but it is doable and necessary. I recommend a three-pronged approach, starting with simple awareness: educating workers about the security challenges they are likely to face. You must be able to clearly communicate to your entire workforce, both tech-savvy and not, about appropriate security measures and emerging threats.

From there, you want to encourage ownership: showing workers that they too have a stake in the game. Security is everyone’s responsibility, and implementing robust QA measures within your organization can help keep everybody on track. Finally, empowerment: give users the tools they need to protect themselves and the company. Here, it’s incredibly important to have a strong training and education program to teach users how to effectively use the technology and tools that they are given to report issues. Ultimately, they should understand that they are the first line of defense you have.
 
Make no mistake: end-user security is a major challenge. Human error being what it is, someone is likely to make a mistake, especially as attacks get more complex and deceptive. There’s a reason that phishing and social engineering are as prevalent as they are — they work. But while you will never be able to fully eliminate human error, a strong end-user training and education program is still an incredible boon to your defenses, and should be part of a larger plan to not only limit potential points of attack, but to mitigate the damage if and when an attack occurs.

Security is everyone's responsibility

When dealing with security, investing in your people is the best place to start.
 
So when you’re making budgetary decisions on security, ask yourself one simple question: Are you investing enough in the workers who are on the front lines defending your network every single day?
 
David Levine
David Levine, Vice President of Information Security & CISO for Ricoh USA, Inc., helps customers limit risk and enhance their information security. Levine’s areas of expertise include operational security, access management, eDiscovery and litigation support, and HIPPA compliance. An avid auto racer, Levine holds a Bachelor of Arts degree in Information Systems with minors in Computer Science and Business from Eckerd College.