Rationalizing Security Awareness Training

Security awareness training (SAT) is at the top of many security companies' lists for hardening defenses. Human error is a leading cause of data breaches, so it makes sense to teach employees how to avoid key mistakes. Danny Bradbury reports

Training is important, but is it enough on its own? Experts suggest that SAT is only one component in a more rounded approach to security that includes technology solutions.

SAT programs often focus on phishing protection. This form of cybercrime continues to be one of the top vectors of compromise. It has been a leading attack technique for the last two years, according to Verizon's 2021 Data Breach Incident Report, but the pandemic sent it into overdrive. It was a factor in 25% of breaches during 2020, but grew to 36% last year, the report said.

Phishing emails don't just dupe unwitting users into giving up their credentials. They're also a common delivery mechanism for email-borne toxins. The DBIR listed several popular malware types that arrive via email. These include programs that communicate with a command and control server and remote access trojans that access webcams, microphones, and keyboards. In-memory malware and ransomware are also featured on the list.

SAT Isn't Enough

An effective training campaign is important for stopping email-borne attacks, but cybersecurity awareness is harder than it looks. Last year, a global phishing test found one in five people clicking on links in phishing emails. Seven in 10 of them followed up by downloading a malicious file from the phishing website they visited. In what was surely an attempt to underscore the problem, the test was held during Cybersecurity Awareness Month.

In 2022, with cyber-attacks commonplace, why isn't our security awareness better? Anyone can wag a finger at staff in an airless room, but effective, sustainable SAT is rarely easy. Companies are resource-constrained and dealing with a pandemic that has sent many employees to work at home. The SANS Institute's 2021 Security Awareness Report found that time and budget showed up as typical impediments. The finance department also opposed security awareness training initiatives more often than it supported them.

Even when done properly, training on its own isn't a realistic form of defense, warn experts. For one thing, it puts an unreasonable burden on employees.

"SAT requires staff to act as human 'security sensors,'" points out an HP white paper on the topic. "It puts a lot of pressure on people to accurately and reliably identify attacks, which is an unrealistic expectation."

A Multi-Layered Approach

Instead, experts call for multiple layers of defense that complement SAT, ensuring that it isn't the only thing standing in an attacker's way.

"Organizations cannot rely solely on strong education," says Benoit Heynderickx, principal analyst at the Information Security Forum. "They should use the concept of defense-in-depth, adding multiple controls to protect themselves from potential security breaches." That way, when an errant user does finally forget and click on a link in a phishing email, it stands less chance of creating havoc.

"A defense in-depth approach to protecting assets deploys multiple layers of control that are considered independent from one another"Benoit Heynderickx

Defense-in-depth is a military discipline that armies use to slow down attackers. It mirrors the multiple layers that enable bulletproof glass to slow down a bullet and eventually stop an attack.

"A defense in-depth approach to protecting assets deploys multiple layers of control that are considered independent from one another," explains Heynderickx. "The controls can be thought of as multiple closed doors that the potential breach must pass through before it can compromise its target."

Some of these additional controls are organizational, including a clear chain of command for business processes, and separation of duties. They can also include penetration testing and red-teaming to test company defenses and find weaknesses in their infrastructure before attackers do.

Technology Protection

Technology solutions are another important layer, explains Tom Brennan, chairman of CREST USA.

"There are technical controls that can be deployed to further reduce the risk," he says. It's always a combination of people, process, and technology."

With so many attacks beginning on user devices, effective security begins at the endpoint. HP offers a micro-virtual machine solution that sandboxes individual user tasks on endpoint devices.

If an employee detonates malware by opening an attachment or downloading a file from a phishing link, the toxic binary will operate in a silo. This stops it from compromising the employee's data or affecting other parts of the operating system. The solution deletes this hardware-enforced micro-VM when the task is finished, eradicating the malware.

Other endpoint tools include strong and up-to-date anti-malware on the endpoint. Brennan also suggests using system controls such as Microsoft's Controlled Folder Access for Windows.

There are also centralized solutions that can complement endpoint tools and configurations. Heynderickx suggests email authentication mechanisms that filter out a suspicious email before reaching a user's PC. Bolster these protections with encrypted data stored in cloud-based systems, he says, to help stave off ransomware attacks. Just be sure to store your encryption keys elsewhere.

Complement these measures with centralized solutions that can manage digital toxins if they penetrate all of these defenses, advises Heynderickx. "Use a competent incident response team or SOC that can detect anomalies in the network at the early stages," he says.

Used in concert, these tools present their own multi-layered technical defense. They work together as another level of protection to complement end-user training. Ideally, companies will pick tools that integrate well together, creating a cohesive security stack that makes security more watertight.

Companies should understand the implementation challenges, though, warns Brennan. "These tools still require staff who have been properly trained on their bells and whistles to deploy them properly," he warns. "Individuals that demonstrate a team competency with certification and accreditation are extremely valuable to their employer."

A multi-layered defense-in-depth solution that blends technology and training offers many benefits, says HP. Reassuring users that they are not the only line of defense helps them to focus on their jobs. "They don't have to worry about making a mistake that takes down the entire company," the company says.

HP even suggests that anti-phishing exercises, in which consultants try to catch out users with fake phishing attempts, might not be necessary. They have certainly backfired in the past.

"Individuals that demonstrate a team competency with certification and accreditation are extremely valuable to their employer"Tom Brennan

When a US army combat commander tried to run his own unapproved internal phishing test, recipients passed with flying colors – but they also forwarded the mail to thousands of friends and colleagues. The phishing link was actually a legitimate financial services company that got worried calls for months afterward. GoDaddy and Tribune Publishing also hammered employee morale by sending out fake phishing emails promising non-existent bonuses for staff in the middle of a pandemic, sparking widespread derision.

A well-rounded set of defenses also allows companies to make employee security training more effective, HP says. When employees aren't the last line of defense against phishing attacks, SAT moves beyond simply spotting malicious emails.

"Areas such as data privacy regulations or social media etiquette and risk are obvious candidates, as are specific subjects relevant to the business (e.g., industrial OT security)," the company adds.

Any component security consultant will explain that nothing is 100% secure. Yet, by complementing SAT with appropriate technology protection, you can make life harder for attackers and increase your chances of blocking email-borne threats. When it comes to protecting applications and data, who wouldn't want at least one extra safety net?


From the maker of the world's most secure PCs and printers, HP Wolf Security is a new breed of endpoint security. HP's portfolio of hardware-enforced security and endpoint-focused security services is designed to help organizations safeguard PCs, printers and people from circling cyberpredators. HP Wolf Security provides comprehensive endpoint protection and resilience that starts at the hardware level and extends across software and services. For more information, visit www.hp.com/wolf.

*Based on HP’s unique and comprehensive security capabilities at no additional cost among vendors on HP Elite PCs with Windows and 8th Gen and higher Intel® processors or AMD Ryzen™ 4000 processors and higher; HP ProDesk 600 G6 with Intel® 10th Gen and higher processors; and HP ProBook 600 with AMD Ryzen™ 4000 or Intel® 11th Gen processors and higher.

**HP’s most advanced embedded security features are available on HP Enterprise and HP Managed devices with HP FutureSmart firmware 4.5 or above. Claim based on HP review of 2021 published features of competitive in-class printers. Only HP offers a combination of security features to automatically detect, stop, and recover from attacks with a self-healing reboot, in alignment with NIST SP 800-193 guidelines for device cyber resilience. For a list of compatible products, visit: hp.com/go/PrintersThatProtect. For more information, visit: hp.com/go/PrinterSecurityClaims.

***HP Security is now HP Wolf Security. Security features vary by platform, please see product data sheet for details.


Brought to You by

What’s Hot on Infosecurity Magazine?