Security Awareness Training: Why Even Bother?
"An attacker only has to compromise one of our systems, so why even have a firewall?"
– No IT security person ever
"An attacker only has to phish one of our users, so why even try to train them?"
– Lots of IT security people
This negative and Nihilistic attitude toward security awareness and training in our industry has always bothered me. And not just because of my professional role and my history with ThreatSim. It’s because I find it terribly short-sighted and ignorant of the need to manage end-user risk — and by that, I mean the actual people.
Just because something is hard and requires ongoing effort and vigilance doesn't mean you shouldn't try to fix it — or at the very least, try to make an attempt to understand what you are dealing with. Those of us who have been in this industry realize that, no, nothing is 100% secure. Yet the demands of our organizations’ business/mission/goals dictate that they seek skills like ours because those skills enable them to operate in an environment where everyone can sleep relatively well at night.
How do we do this? At a (very) high level, we identify exploitable vulnerabilities and remediate them to a level where the risk is less than it was before. Historically, information security professionals have been very comfortable with this approach when it comes to technology. New gadgets? Let’s hear about them. Cutting-edge software? Sure, we’ll sit for a demo (if only because that T-shirt you’ll give me in exchange is pretty darn funny and fully appeals to my infosec geek sensibilities).
But our willingness to explore threat reduction techniques has often had a common limit: people. I.e., humans. You know, those flesh-and-blood endpoints out there who have Internet access and aren’t afraid to use it? Yeah, them.
At Wombat, we’re in the risk management business. It just so happens that our focus is on user risk management. And we’ve seen that user risk management can work — though we’ve also heard any number of clever (and not-so-clever) excuses to avoid such pursuits:
"You can't fix stupid!"
"Users? Ugh, they are hopeless!"
"We’ve got a company full of ID10T errors!"
I’ll admit it: I’ve chuckled along with some of these in the past. But here's something I’ve come to recognize quite clearly: Users are just another information asset in need of vulnerability assessments and remediation.
How to ‘Configure’ Your End Users for Secure Performance
No one patches a server once a year — at least not a server they care about. Patches are applied on an ongoing basis because they need to be. Threats change, vulnerabilities are discovered, attackers adjust their exploits, etc. It's not a stretch to take this same approach with your users.
IT folks will oftentimes make comments like "XYZ technology can be secure if you configure it right." Well, I’d make the case that, just like any distributed system, users (though complex) can be "configured" to be secure...if you set them up right.
To correctly configure a user, they need both awareness and training. A user who is aware of an issue knows what that issue is and how it can affect them. Training gives the user the opportunity to put their awareness into action, practice it, and demonstrate that they get it.
Like any technology asset, maintaining an active security posture is not only possible, it is essential. Regular, ongoing interactions with users create opportunities for non-invasive assessment and remediation activities — and our data shows that these exercises can reduce user-based risks, particularly those associated with phishing attacks.
Wombat's Continuous Training Methodology gives you the tools you need to identify the users who pose the greatest risk to your security posture and apply the appropriate user-based security controls (e.g., more frequent training) for your environment until those users becomes lower risk. And because you can use multiple non-invasive assessments, you can legitimately measure progress. If your assessments were to reveal that certain personnel continued to exhibit a poor security posture, your organization could then adjust technical security controls as appropriate (e.g., assign a different web proxy group).
I suggest trading in the jokes and quips for a new thought process, one that equates assessments and training to system scans and vulnerability patches. Because the bottom line is this: A truly effective awareness and training program (like Wombat’s) gives you access to insights and tools that can reduce end-user security risks and improve your overall security posture.
If you are responsible for information security, why would you take that off the table? Why not implement a system that allows you to pinpoint the users who need some extra help or protection? You’re learning about new techniques and new security safeguards all the time — and your end users can learn, too.
Will you be at RSA Conference 2016? We’ll be there in full force, and we hope you will connect with us while you’re there. If you’d like to hear from Trevor in person, plan to stop by his “State of the Phish Results” briefing session on March 2.
If you won’t be there but you’d still like to hear Trevor's insights related to our 2016 State of the Phish Report, check out these highlights from a recent SecureWorld webinar.