Security Protection Protection Privacy Seminar Conference Learning Concept

Why end-user training is critical in battle for information security

Author:  Kathryn Packer

Earlier this year hackers created a number of false transfer instructions from a bank in Bangladesh to send a total of $951 Million dollars to various bank accounts worldwide. They succeeded in stealing $101 Million before the fraud was detected. How did they get into the Bank’s system? Investigators believe that it started months before when a Bank employee opened an email message, clicked on a link, and inadvertently downloaded malware to his work computer. That let the hackers in and they went on from there to learn routing codes and procedures.  Just one example in an increasing number of compromised systems making the news. As in so many cases, the weak link was not technical, it was human.

How do we protect against human behavior?  Education is the first step. However, to create a lasting change in employee behavior the training must be more than a single annual event. Studies show that frequent, granular training opportunities designed to address specific behaviors and practices are the most effective. Every employee should be included in the training, senior leadership, supervisors, and IT professionals. You can’t change what you don’t know you are doing wrong, or could be doing better.

Changing behavior takes time and effort….consistent effort. Finding ways to keep the cyber security conversation going is the key to success. One way to keep the conversation going is to have regular sessions using a variety of formats like a Lunch & Learn, exercises for team meetings, screen savers, etc. Find ways to help employees recognize dangerous situations and potential attacks so that they can be avoided

The reality is that we will all make mistakes at some point – click on a link we didn’t check, give an “IT professional” our credentials, etc. That means there also needs to be a way for employees to report not only a suspected attack but also when a mistake is made. Even false alarms could be a good indicator…that changes need to be made to your training program.

Employee training is a key component in corporate security. A well rounded program is our best defense against the type of attack that lead to the Bangladesh bank incident. In fact, a recent study reported by the Wall Street Journal found that employee error is the most common reason for data breach. ( It is worth the time, effort, and budget to create and maintain a good employee cyber security training program.