In his book Secrets and Lies: Digital Security in a Networked World, cybersecurity expert Bruce Schneier wrote, “People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.” That remains as true today as when the book was first published 22 years ago.
It’s easy to understand why users often represent the weakest cybersecurity link within an organization. They click the wrong links that install malware on their devices, send a username and password to a colleague through email, and sometimes accidentally leave their laptops open when they’re out working in a coffee shop.
Many people mistakenly believe that their online accounts would have no value to cybercriminals, meaning they don’t put the relevant protective measures in place. As a result, organizations are constantly under increased pressure to increase their security levels and remind users to remain vigilant.
Users are feeling security fatigue from receiving too many alerts
Unfortunately, many existing solutions to these complex threats have become so generic that it has become easy for users to ignore them. A gray alert warning us that we’re about to reply to an email from an external sender quickly becomes irritating – especially when we’ve seen it tacked on to virtually every email that has ever been sent from an external sender. Eventually, we become blind to alerts and learn to block them out – a phenomenon known as “security fatigue.”
Security fatigue manifests itself similarly to decision fatigue. We reach our limit with how much information we can process, which leaves us feeling unable to make a rational decision as we move forward.
As a result, we often behave impulsively and make decisions driven by immediate motivations, avoid unnecessary decisions, and select the easiest option. That can look like using the same password or PIN for every account, disabling security alerts, or abandoning activities when required to go through additional security measures. These activities leave the door wide open for bad actors to swoop in and take advantage.
Training needs constant reinforcement
Many organizations have tried to bolster their security by scheduling Security Awareness Training (SAT) for users. However, this requires constant reinforcement. We forget information at an exponential rate, especially when we don’t need to use it regularly. Even if we remember some of what we’ve learned, accidents still happen, especially when under pressure to make decisions quickly.
Despite the ramifications that security breaches can have on an organization, it is often left to admins and small, overworked security teams to try and prevent these issues – and step up and fix things when they inevitably go wrong.
Although training and traditional defenses can be effective against weak security threats, they often fail to prevent users from falling for more complex social engineering attacks. A different, more thorough solution is required.
Real-time teachable moments help users to feel educated instead of policed
Egress Intelligent Security fixes this issue by augmenting training with ‘real-time teachable moments’. These are designed to empower users to take charge of their own security behaviors, in turn reducing human activated risks on email.
Instead of providing generic training sessions that users will forget within a few days or bombarding them with notifications that they learn to ignore, the software engages people only at the point of risk. That’s designed to reduce security fatigue and helps to make sure that users are alerted only when it really matters.
Egress Intelligent Security is made up of three components: Defend, which is designed to stop inbound phishing attacks by adding colored warning banners; Prevent, which displays information as the user is composing the email to help them to catch their own mistakes before they cause damage, and Protect, which can determine the risk of a breach as data is shared.
Helping users to become your strongest security link instead of your weakest
Leveraging technology to empower users to make their own security decisions reduces the burden on overworked admins and allows them to focus on other important aspects of their jobs that would otherwise be neglected. It also reduces the chances that they will feel overworked and burned out.
Integrating these real-time teachable moments into your users’ day-to-day work also allows them to apply what they have learned from their training to real-life situations in the moments that really matter. That increases the return on investment of other training efforts.
Ultimately, real-time teachable moments are designed to help your users feel as if they are being educated rather than policed. That empowers them to make sound security decisions and changes the dynamic within your organization.
Instead of worrying that users are your weakest link, you can transform them into your strongest security asset.