As part of being an employee for a company, you occasionally have to take security awareness training so that they can tell their compliance folks that everyone has done it. It’s a stupid pain in the ass and rarely does any good, but that’s primarily due to the content of the training, not the fact that you have to do training.
Toddler-Level Questions
You don’t need to be a culinary expert to figure out which of those three items is a sandwich. Even my toddler knows what a sandwich is. And yet that’s the way we treat adults when we’re giving them lectures on security awareness.
In the event of a security incident, you should:
- Unplug your machine and contact corporate security
- Email all of your coworkers to tell them you got hacked
- Make sure to copy all of your data onto a thumb drive so you can work from home in the mean time
Seriously?
Before saving data on a thumb drive, you should:
- Make sure the USB drive isn’t dented
- Make sure your documents don’t have typos
- Ensure the thumb drive or the files are encrypted
What the hell?
I understand, having spent quite a lot of my career in the government, that there are a lot of laws and regulations that organizations are required to follow, one of which is ensuring employees get annual security awareness training. However, I’d argue that the actual benefit to employees (or companies) of providing training at the level alluded to above is near-zero.
There are a wide variety of threats facing organizations, and no hour-long training session is going to make them aware of all threats and how they can protect the company network. However, by treating employees like adults and helping them understand why it matters, how the bad guys take over the systems, and why it’s so hard to recover once a breach has happened, you end up with better educated and more aware users.
Anecdote is not data
I used to work network defense at a medium-ish sized organization (about 3k people). We had a particular group of people that happened to be on the receiving end of an awful lot of phishing emails. However, we treated them like children (at first). We’d occasionally swoop in, take their computer away because “it had a virus,” and remand them back to the basic security awareness training.
Those people hated us. Why in the world would they want to report a security incident if it meant that they were losing their computer for several hours? To them, “a virus” was something that slowed down their computer at home and caused popups if they went to a BitTorrent website. What’s the big deal? My work is way more important.
So we tried something different. We sat down with a group of them and explained how phishing led to enterprise compromises, how bad guys used that to access and steal their data, and how it negatively affected both them personally and the organization as a whole. And you know what happened? They got it. True believers.
They started spotting phishing emails and forwarding them to us faster than we could spot them on our own. Infection rates went drastically down across that part of the organization. In my mental picture, the adversary is tearing his hair out wondering why his success rates dropped so drastically and why he keeps getting booted off the network so quickly.
Awareness Training Works
So yea, awareness training can work, but only if it’s done right. And most people don’t - including lots of large companies that should really know better. Let’s see if we can’t change that for the industry.