Page 13 - Cyber Defense eMagazine - September 2017
P. 13
If you read the opinions of cyber security experts, you’ll find that many believe security
awareness training is a total waste of time and resources. After all, why should individual users
shoulder the burden of cyber security when most don’t even understand what it is.
Rather than providing higher-quality training, they argue, you should strive to create a network
environment that is immune to any mistakes your users might make.
And in theory, this approach makes sense. After all, most people really are clueless when it
comes to cyber security, and user errors are a common cause of data breaches.
Moreover, it’s easy to understand the argument that users should not be expected to consider
security, as it should really be wholly the responsibility of the IT department.
But here’s the thing. All of this is good in theory, but it just doesn’t translate into practice.
In the real world, there’s no combination of technical controls, security products, and network
hygiene practices that can completely protect users from cyber-attack
.
And, as a result, if you’re serious about the security of your organization, there’s just no getting
around the need for high-quality security awareness training.
Why Improving Awareness is a Terrible Goal
A big part of the reason why most security awareness training is so bad, is that it starts with
completely the wrong objective in mind.
Let’s be honest, what good did awareness ever do anybody? Does being aware that we should
eat healthily make us less likely to take the kids to McDonald’s on the weekend?
Clearly not. What we really need to improve are security behaviors.
Knowing this, we can start to think about what useful security training might look like. After all,
everybody knows which poor security behaviors are the biggest cause of security incidents.
Improper data disposal. Leaving laptops on trains. And, of course, accidentally clicking on links
or attachments in phishing emails.
In fact, according to Verizon, over 90% of all data breaches include a phishing or other social
engineering attack somewhere along the line. Knowing this, you can start to make sensible,
proactive decisions about the future of security at your organization.
Now of course, in some cases, technical controls really are the answer. Nobody plans to lose
their laptop or USB drive, but ensuring that all such devices are encrypted can dramatically
reduce the potential impact of their loss or theft.
Similarly, it’s reasonable to assume that no matter how good your security training is, some
mistakes will still be made. Tightly controlling user access levels and implementing sensible
network architecture are two ways of limiting the impact of those mistakes.
But when it comes to a threat vector like phishing, technical controls can only do so much. Many
phishing campaigns no longer rely on malicious software or downloads, but can still have a
tremendous negative impact on your organization. BEC scams, for example, are routinely used
to trick low level employees into authorizing huge payments directly into attackers’ bank
accounts, and are practically immune to technological security controls.
13 Cyber Defense eMagazine – September 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide.
