Cyber security awareness training for employees does not go far enough to be effective, according to David Marcus, director of advanced research and threat intelligence at McAfee.
He said businesses more commonly fail in systemic issues when it comes to IT security, chief among these being effective training for users.
Although adversaries use many different attack methods, there is a lot of commonality around the social engineering techniques they use, and there is a lot of value in tackling that,” he said.
But pure awareness training is not as effective as scenario-based training, he told Computer Weekly.
Marcus believes employees need to face simulated hacking attempts to learn how to recognise them properly and take appropriate action.
“Only by getting into the boxing ring will anyone learn how to block blows from an opponent,” he said.
The military would not send soldiers into an operational area without practical training, said Marcus, yet enterprises routinely put employees in a position where they will get attacked without any training.
“Information security professionals who fail to provide behavioural training are doing a disservice to the company, its employees and its shareholders,” he said.
While not all companies have the resources to devise such training programmes, Marcus said there is a growing number of providers of this type of training, such as PhishMe and TrustedSec.
“But this is a long-term process that information security practitioners need to undertake if they really want to protect their organisation’s data assets and people,” he said.
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners.
If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Related content from ComputerWeekly.com