Pointing the Finger at Users?
How often do users get blamed for being careless by disclosing sensitive information or inadvertently clicking on a link that looks legitimate? Vendors and enterprises spend millions on security awareness education, but these same users continue doing dumb things and statistics show us that data breaches keep going up.
Why are we not getting this right? And who is to blame? Well, the organizations should be pointing the finger at themselves as it is proven that just attending a training course is not adequate to get the message across. It’s like sitting through an ‘Alcohol is really bad for You’ session and sitting back and thinking that all the attendees will leave the room and never touch alcohol again. It’s time to think outside the box and embrace innovative ways to engage the users by delivering bite size training that is relevant to them and more importantly having the tools to measure success.
Recently I asked the head of the Security division of a major enterprise ‘How do you measure the success of your security training?’ and he replied ‘we have 98% attendance on our training sessions’ um……
For those of you attending RSA Conference in London be sure to attend the session entitled ‘Training Employees to Recognize and Avoid Advanced Threats’ which will discuss the most effective methods of user training that deliver measurable performance levels.
“It’s like sitting through an ‘Alcohol is really bad for You’ session and sitting back and thinking that all the attendees will leave the room and never touch alcohol again.”
No, it’s not like that at all.
Almost everyone wants to avoid viruses and spam. Users would love to do the right thing, but Internet parasites understand that many users are not sys-admins. The best example is the common installation trick of pre-selecting an unrelated product, e.g. Google Chrome, within an installation dialog. Experienced admins will not fall for that trick, but ordinary users just trying to update their latest Adobe product often do. All of a sudden those users cannot understand why their browser looks so different.
First, the industry needs to admit that default opting-in is always wrong. Companies like Adobe must be shamed into unselecting checkboxes.
Second, security professionals need to admit that people are going to do dumb things and close those loopholes. Easier said than done, to be sure, but average users are never going to have the street-sense of sys-admins, so we better figure it out.
And to continue my rant above, we need to be realistic about expectations for user training. If we tell people that they need to be wary of email attachments, do we really expect them to be cognizant of botnets? And if so, how are they supposed to distinguish between benign and dangerous emails sent from a previously trusted source, i.e. how are they to know if the source is now a part of a botnet?