We’re all human: we make mistakes. Unfortunately, there will always be people trying to take advantage of our mistakes for their own benefit, which can cost our business tremendous financial loss. No matter how sophisticated our cyberdefenses are, how advanced our technologies are, how good our security practices are, we will always be constrained by this human factor.

Humans are the weakest link in the information security chain

We’re all human: we make mistakes. Unfortunately, there will always be people trying to take advantage of our mistakes for their own benefit, which can cost our business tremendous financial loss. No matter how sophisticated our cyberdefenses are, how advanced our technologies are, how good our security practices are, we will always be constrained by this human factor.

What can we do about it? Well, we can’t completely eliminate mistakes. However, we can make them much less likely: inform, train and clarify what you are expecting.

Training operational teams in Information Systems Security

Operational teams (network, security and system administrators, project managers, developers, CISO, …) have privileged access to information systems. Inadvertently, by accident or simply through ignorance, they may carry out operations that generate vulnerabilities e.g:

• Using high privilege accounts when not necessary
• Using personal accounts to run services
• Choosing weak passwords for privileged accounts

In order to avoid such pitfalls, operational teams should regularly follow training about topics such as:

• Applicable law and regulation
• Main current risks and threats
• Authentication and access control
• Systems hardening
• Network segregation
• Logging and monitoring

This list is not exhaustive. Besides, all topics apply to all operational teams since obviously different Information Security skills are necessary for different operational teams. In addition, Information Security skills also depend on how the organization has integrated the security into its processes. For instance, the Information Security skills project managers and developers need may depend on how security is integrated into projects.

Raising end-users’ awareness about Information Systems Security

The end-user is also an important link in the information systems chain. He/she should therefore receive proper information about potential security issues and the rules regarding information security. In addition, he/she should learn how to detect a security issue and how to adopt the correct behaviour to mitigate the risk.

Information Security Awareness pieces of training should be given regularly to all employees. The organization should adapt them to the target users and they can take different forms (e.g emails, posters, meetings, dedicated intranet space, eLearning, classroom instruction, …) and cover topics such as:

• objectives/challenges faced by the organization in terms of information systems security
• information considered sensitive
• legal and regulatory obligations
• security rules and the main procedures for daily activities (e.g compliance with the security policy, email security/phishing, using personal IT equipment, password protection, reporting suspicious events, clean desk / clear screen policy, …)

It is also important to produce an “Acceptable Use Policy” to define rules and set guidelines about how the organization may use its IT resources.

One more thing… in case of outsourcing, make sure to mitigate the related risks

If your organization wishes to outsource all/part of its information systems, the organization should perform a specific risk assessment before starting the outsourced service. The supplier and documented should agree with the information security requirements for mitigating the risks associated with the supplier’s access to the organization’s assets.

Such requirements may include, but are not limited to:

• description of the information to be provided or accessed and methods of providing or accessing the information
• legal and regulatory requirements (e.g data protection, intellectual property rights,
• the obligation of each contractual party to implement an agreed set of controls including access control, performance review, monitoring, reporting and auditing
• information security policies relevant to the outsourcing
• incident management requirements and procedures (especially notification and collaboration during incident remediation)
• training and awareness requirements for specific procedures and information security requirements e.g. for incident response, authorization procedures
• relevant contact persons for information security issues
• right to audit the supplier processes and controls related to the agreement

Ultimately responsibility remains within the organization which outsources. Therefore, it makes sense to take reasonable steps to ensure that the entity does not introduce unacceptable risks.

Other typical requirements can be found in the ISO/IEC 27002:2013 standard.

Making training really effective

One of the questions that often pop up when it comes to training is “Does eLearning work in comparison with classroom instruction?”

According to a scientific study compiled by Will Thalheimer, PhD in 2017, in terms of learning effectiveness, it is NOT whether the modality is Learning or classroom instruction; the learning methods are what make the difference. Realistic decision making, spaced repetitions, real-world contexts, and feedback—among other research-supported learning factors—produce better learning than straight information presentation. When learning methods are held constant between eLearning and classroom instruction, both will tend to produce equal results.

Source: https://www.worklearning.com/catalog/