In the field of IT security, great attention is always paid to network security in the form of various security elements, and a large part of the costs also go in this direction.
Let us not forget, however, that the human factor, especially the human penchant for curiosity, is a very important and vulnerable element in cybersecurity. The risks associated with this are extremely high and it is necessary to ensure adequate user literacy in the field of cyber risks.
Continuous user education is an essential element for ensuring knowledge. Completion of one e-learning course or training seminar is certainly not enough. Although the user receives basic information about potential risks and their knowledge is sometimes tested, this only creates a very basic awareness of the risks.
I know from my experience that due to the dynamic pace of development it is important to continuously inform users about potential risks, not only in the work environment. After all, social networks can also pose a risk in this context and create a potential gateway for the attack itself. Imagine a situation where an attacker targets a user's profile on a social network and then carries out a credible attack on his colleagues and you can see that its impact can be quite significant.
From one point of view, it is possible to understand directives as paper that can withstand everything. But they are an important prerequisite for the introduction of further measures. After all, it is a binding framework of requirements, defining a framework of rules. As they mainly have a supporting role, they do not ensure an adequate level of user awareness.
User training must be regarded as another important element. By implementing training annually, compliance with internal regulations can be achieved, but it will be exceedingly difficult to achieve adequate levels of user awareness. In this area, it is essential to repeat the issue periodically and in human language. The human factor is the vulnerable link and it is necessary to pay adequate attention to it. Not only occupational risks can affect users.
In addition to classic training and keeping users continuously informed about new threats, the form of communication through which this information is transmitted is essential. The user must accept it as a good idea for improvement. For example, how do you explain to a user that they should not always use the same password? The answer is: "very poorly". However, you can minimise the risk by using multifactor login and communication and already at a company level use a solution that is supported, for example, in social networks. Of course, this does not eliminate the risk of password leaks, but at least it mitigates it.