SecurityEveryone is susceptible. Every day, nearly every organization, large and small, is hit with dozens if not thousands of attacks by digital insurgents.

What’s troubling is that many hackers are needlessly successful, easily cracking the latest, greatest versions of our most sophisticated firewalls.

As a result, malware slips undetected behind our digital fences and plants viruses that over months decimate data systems or Trojans collecting keystrokes that enable an offshore hacker to easily pluck highly secure signing codes.

The impact? Thousands – if not tens of thousands – of credit-card numbers are lifted. Or highly classified military strategies downloaded. Or the formula for a new medicine snatched away. And the infiltrated are often completed before any internal sirens sound, before the expensive digital guards feebly respond.

In the aftermath, journalists worldwide report what little they really often know. Internal IT soldiers spend weeks mining their systems to stop and recover from the attack. IT analysts write articles telling what they believe happened. Competing organizations calm customer and investor worries by touting the security systems protecting their IT landscapes. And nearly everyone blames vulnerabilities in the IT security software used.

Several experts even go as far as recommend another IT security program or an “innovative” technological process that would have prevented the breach. Yet, despite all we supposedly know, these attacks keep happening – with increasingly frequency. Do we really have any defense to stop the simplest form of digital insurgency?

Rethinking the Frontline of Defense

“Back in the early 1990s,” writes InfoWorld’s Roger A. Grimes, “…[antimalware] could reliably detect everyone of the dozens of viruses, worms, and Trojans in the wild…I remember everyone thinking antivirus programs had become so accurate and freely available, and we all assumed that computer viruses and their ilk would be gone in a few years.”

It’s now twenty years later. And each year, IT security software developers continue to release their next updated version of antimalware’s well-known war horses. Countless startups introduce what they often tout as the next generation in IT security, solutions which often seem like tweaked enhancements – if even that – of products currently available. And all the while, hackers continue to covertly churn out hundreds of millions of new infections each month and continue to ruthless pick apart the most sophisticated public- and private-sector IT infrastructures – with more and more success. Can we really ever be safe?

To date, hackers have not fully caused widespread havoc. If we continue following the same procedures and practices, isn’t it only a matter of time before a single digital guerilla permanently shuts down a power grid? Or causes an economic system to collapse? Or plays a real-time version of war games? Fortunately, it turns out that we may have a real solution. The same one that helped reduce the rate of street violence plaguing US cities during the 1970s and helped thwart several recently planned terror attacks: Human awareness.

Retraining the Troops

What’s troubling is that some experts have advocated this solution for years. CSO reporter Meg Mitchell Moore covered this issue in 2003, writing “Without a doubt, the employee is often the weakest link in the security chain. ‘People think, It’s just data; it’s not really important,’ says Thomas Luce, former CSO of Rochester Health Care Information (RHI) Group and now an independent security consultant. ‘They don’t understand the damage they could do…’”

Despite having this knowledge for at least a decade, most organizations – except for those specialized few (i.e., national security and intelligence organizations) – have not taken serious steps to educate users. Why? During an era when employees often shift companies to further their careers, many companies could be unwilling to invest in employee training that does not drive immediate business results. To make matters worse, there are many detractors who believe that investments in IT security awareness are simply wasteful.

For those holding this view, the current situation should provide ample evidence that companies simply need a new way of thinking about IT security. And there is recent research showing that the majority of IT security breaches are caused by user actions. Why? Humans are simply the easiest point to crack. Studies have proven that human behavior is highly predictable, which makes us very vulnerable to unexpected manipulation from hackers, such as opening that official-looking e-mail and its attachment, which once opened, unleashes an insatiable data-eating worm into a major IT system.

Thankfully, there is hope. With the proper training, which would include standard responses and processes for handling e-mail and phone attacks, any user can change their online behavior. It may initially prove a difficult feat to master, given that the raison d’être of communicating digitally is to enable quick responses, transparent collaborations, and open access to information. But with the informed guidance of IT security experts, all users can acquire the IT security awareness that could prove an organization’s best defense against malicious infiltrations.

Does your organization have IT security training for its users? How effectively has it reduced IT security breaches? How often do users receive refresher training? What are some of the key tactics taught?