I’ve spent a lot of time over my career talking about education. K12, higher ed, virtual and blended learning, educational technology, you name it. I’ve even looked extensively at continuing education and professional development. As my focus has turned more to enterprise technologies and security over the last several years, I still couldn’t help but see many of the challenges we face in IT through an educational lens. After all, security pros and hackers aren’t born with deep security and networking expertise - why should we expect our users to be automatically savvy enough to avoid the latest phishing scheme or bit of malware?
Unfortunately, that’s all too often the mindset for many organizations, the majority of which rely on firewalls, intrusion prevention systems, and antimalware software to protect their networks but ignore the real weak link in the security chain: users. Even large organizations with strong security measures have been brought down by unwitting users who fell for sophisticated social engineering and disclosed login credentials or introduced malware onto the network.
Even more interesting than the number of vendors, though, was the diversity of their offerings. The market for security education has matured rapidly in response to emerging and intensifying cybersecurity threats with strong, differentiated offerings from a variety of sources. Here’s a sampling of what we’re seeing:
- On-demand basic curricula - These materials may be video, written, or a combination but are designed to provide a baseline level of user knowledge about cybersecurity and safety. Want your users to know what phishing is and some smart ways to avoid it? Be able to speak a common language about security in the workplace? This is a good place to start.
- Customized curricula - Do you have specific needs in your organization? Special security or regulatory concerns that should be incorporated or a particular way that the more canned materials above should be delivered? This is the next step and can still often be provided on-demand or asynchronously to your users. You can also use these materials (or the basic materials above) as part of your internal training programs.
- In-person training - Again, this can be either standard or customized content but is delivered by real people. Some organizations won’t need to pay for this level of delivery or interaction but many users find that actual training sessions coming from respected third parties have more impact on their users.
- Certificate, graduate, and continuing education programs - This goes beyond end user training, obviously, but a growing number of colleges and universities have robust network and cybersecurity offerings that are appropriate for everyone from early career network engineers who want to move their careers ahead with a greater understanding of security all the way to programs for ethical hacking and pen testers.
It’s all too easy to blame the users for many of our security woes. Disgruntled IT staff have been complaining about users since the dawn of the information technology age. Now, though, we have some outstanding options for easily educating and training users and ensuring that one misplaced email doesn’t wipe out massive investments in security hardware and software.