“Users. Can’t live with them, can’t live without them.” I heard that line more than once in my stint as the non-IT guy in the IT department at a newspaper company (I liked to think of myself as the poet laureate of the IT department). None of us, neither hardcore techniks nor geekish dilettante, were thinking much about users and security in those days — this was a couple of years before the Melissa and I Love You email viruses. But now, of course, end users (aka people) are at the center of all things security. And so, we keep hearing and repeating the mantra of user security awareness training: Don’t click on it, don’t click on it, don’t click on it….oh no, you didn’t!
A dozen or more years ago, training people about the handful of things to look for was pretty straightforward. A few tricks to open a relative handful of email attachments. And the viruses were mischievous, capable of causing some disruption and diverting precious IT resources. Then the criminal element discovered the Internet, and malware became more sophisticated, the social engineering more clever and far slicker, and the consequences far, far graver. This presented something of a conundrum: The need for user awareness training appeared to become more and more acute. At the same time, what kind of training? What should people be taught? How much training was enough? Can it be affordable and still useful?
Is it really useful at all?
That’s a legitimate question. Hord Tipton, executive director of ISC2 , believes the answer is yes, but organizations have to be serious about it if it is going to be of any value.
“You have to do it much more often than what’s being usually being done,” he says. “When left government, which wasn’t that long ago, they thought one hour training once a year was sufficient. Frankly, I think that’s totally wasted time. Worse, it creates a false sense of security.”
The point, he stresses, is that the criminals have gotten too good. It’s tough, maybe impossible in some cases, for your employees distinguish legitimate email from a phishing attack. The days of clumsy phishing messages with poor English and misspellings have been replaced with cleverly disguised messages that appear to be from your bank, from Amazon, from a processing house…. Just when we had most people trained not to fall for the obvious, not to open attachments, the messages became far less obvious, and they were lured to click on links as well as attachments.
If you are going to invest in user awareness training, he says, the way his organization does it is to use real examples, especially from high profile cases, such as the RSA breach. In that case, four employees were targeted with an email attachment purporting to be a recruitment spreadsheet. Show people what they are up against and do it once a month, not once a year.
As with everything else in security, it’s a matter of risk vs. cost. How much time and money are you prepared to invest in user awareness training, and what benefits, in terms of reduced risk, do you reasonably expect to realize. One thing is certain, if you are counting on user awareness training to enforce policy, you are in trouble.
I just spoke with Kevin Johnson, security consultant at Secure Ideas and a member of the advisory council putting together the SANS Mobile Device Security Summit next month. (Look for my Q&A with Kevin on mobile device security in an upcoming post.) Kevin does a lot of penetration testing for a living, which includes testing what humans will do, training and policy notwithstanding.
“Any case where we have to depend on users to understand risk and follow the policies scares me if I’m someone who has to defend an organization,” he says. “If your defense is whether that user will click it or not, your defense has failed.”
Johnson says his company will send 250 simulated phishing messages as a social engineering test, for example. Want to guess how many take the bait? A quarter? Half? Try, maybe 400 or so. Not only do people fall for the social engineering, they share with colleagues and/or friends. Ouch.
One security expert I spoke with advises organizations to depend on security technology to enforce policy, rather than humans. He simply doesn’t believe security awareness training makes a difference. His recommendation is to train people about the technology: what it does and what to expect. For example, don’t depend on employees not to send sensitive information outside the company in violation of policy. But train them about the new DLP product you’ve implemented, so they’ll know what’s going on when they get a pop-up message that they are violating corporate policy.
I’m a trained cynic, but most people believe well-executed, regular user awareness training is part of a layered defense program — not the answer, any more than one particular security technology is the answer, but a way to reduce some risk. It comes down to what you think it’s worth and what you are willing to invest in your employees’ time and your money.