Organizations defend their networks on each of the six levels in the diagram you see. End-user Security Awareness Training resides in the outer layer: ‘Policies, Procedures, and Awareness’. As you see, this is the outer shell and in reality it is where security starts. You don’t open the door for the bad guy to come freely into your building, right? Let’s have a quick and admittedly highly simplified look at defense-in-depth.
End-user Security Awareness is an important piece of your security puzzle because many attack types go after the end user (called social engineering) to succeed.
Once an organization has published policies, has implemented security procedures, and has trained all employees, the first step of defense-in-depth has been established.
The second step is defending the perimeter. In the case of IT that usually means a firewall, and related tools to block intrusions.
Part three is protection of the internal network. There are various software tools that scan the network for attackers, traffic that should not be there, and many other ways to detect attacks.
Next, protecting each individual computer in the network (called ‘hosts’) is also crucial. Here is where end-point security tools live, which attempt to block attacks on the individual computer level.
Then, there are many ways to protect the individual applications that are running on computers in the organization, and last but not least, the data also needs to be protected, and yet again, there are many, many ways to do that, for example encryption.
However, end-user security awareness can affect every aspect of an organization’s security profile, as it truly is where security starts! That is why it is so important that small and medium enterprises (including non-profits) give their end-users Internet Security Awareness Training, and enforce compliance.