Dave Aitel of Immunity, Inc. recently wrote an opinion for CSO Online regarding the value of awareness training as part of an information security program.
His view, in so many words, amounted to “scrap it” and build the walls higher elsewhere.
To say that he took a beating from the InfoSec community at large is probably an understatement. I hope that he was writing the post in a tongue-in-cheek style and that he took the stance he did to provoke reaction more than to espouse his personal belief.
That said, I want to argue in defense of security awareness as a vital cultural issue that few organization can do without, particularly in the dangerous climate we find ourselves today.
Training and education are key elements to securing users and data, because even the best technical solutions are incapable of protecting both in every situation. The advances in detection and monitoring solutions have placed more capable tools in the security professional’s toolbox, but APT attacks have grown both in sophistication and perseverance – often leading to successful attacks and subsequent data loss.
Should organizations abandon their current solutions because they fail to halt determined, well-funded, state-sponsored hackers? Of course not, the tools are still effective against 80 percent of what lurks on the web. Similarly, some research only places endpoint security effectiveness at around 30 percent, but very few organizations stop deploying it. Why? It catches the known dangers, and may aid in discovering the unknown threats at a later date.
Training may not completely remove a risk like social engineering or the bad link masquerading in a phishing email, but if evenone user recognized a threat for what it was and reported it, that may mean the difference between taking immediate action to remove a back door versus waiting for the FBI to knock on the front door with far worse news.
As security professionals we create layered solutions to mitigate, not eliminate, risk. Despite the glossy brochures, I would wager that few solutions providers could argue that there is a panacea to the problems we face today.
The reality is that we rely on several layers to keep bad things from happening where possible and several more to alert us when they do, so that we can implement quick and effective incident response measures. This is not a technology exclusive area however, and better-educated people can be both lines of defense as well as alert mechanisms for when those technical defenses fail.
Training and education must extend beyond the five minutes spent discussing what users can or cannot do during employee orientation. Annual refresher training often required by a check box on your compliance model is not sufficient either, particularly if it is the canned PowerPoint or web-based presentation with content that does not target or connect with the user.
Mr. Aitel calls out this type of training for what it is, and I cannot fault him with his assessment. However, the prudent step is not to abandon training altogether, but to make it valuable, timely, frequent, and memorable.
Organizations need to immerse users in regards to information security on a fundamental level. It needs to become second nature, and part of the organizational culture. This works best when themes apply to people on a personal level; when the topic resonates beyond the workplace and touches home, family and personal data security.
Does your organization have enterprise licensing? Perhaps a home use program promoting personal use of office productivity products and endpoint protection solutions will engage users to communicate with IT and IS staff more often. Remind users of any personally beneficial IT program offerings such as software or free training, and cover timely security topics through email that is readable in two minutes or less.
Consider starting a short newsletter, or simply make the effort to increase personal interaction with the user base. Demonstrate a smart phone tool like Genius Scan and explain how it can be abused for data collection in the workplace. Stop talking about APT and show a video where users can see it in action.
Visual examples of real-world attacks can have a tangible impact on the audience, who will immediately have a better understanding of the threat. Arrange to have local law enforcement or the FBI come to your site and give a presentation on cyber-crime or intellectual property theft. While these techniques do not replace traditional training mechanisms, they serve to supplement them and make the program more effective.
When I took over the information security program at a previous organization, few people were aware of any risks and any malicious activity was considered a "virus". There were useful tools and training available, but few took advantage of them. We incorporated many of the recommendations I have listed above, as well as less conventional options.
By the time I left, we were routinely giving out 200+ HUP licensed endpoint suites for Windows and Mac platforms a year. Many staff members had purchased steeply discounted productivity software that mirrored what we used in our business environment. Although typical indoctrination and annual refresher training were required for compliance, relevant topics from the news made for good discussion fodder and broke up the monotony.
Suspicious email and web activity was routinely reported for action. Employees referred those who were new or unfamiliar to either IT or IT security for relevant topics. Users were more conscious and aware of social networking hazards and risks to their personal information. Supervisors and leadership included information security in business planning and projects.
Although these combined efforts could not completely cure user-induced woes, it cut down on the noise levels and let us focus our energies on less-reactionary aspects of securing and monitoring the network. In short, security awareness had become part of the mindset. That is time and resources well spent.