I recently hosted a dinner debate for a number of C-level attendees in London. The topic of discussion for the evening was the one topic that everyone is talking about – namely Advanced Persistent Threats.
The discussion quickly moved on to what should organizations be doing to protect themselves against APT’s? On the basis that social engineering is cited as one of the primary tools deployed by cyber criminals the subject of user training reared its ugly head.
So, here’s the question: what percentage of an organization’s security budget is spent on mitigating the biggest risk of all?
My guess is that it’s a very small fraction of the overall budget. Organizations typically stick to the tried and tested techniques of online training, classroom training and having posters everywhere on raising awareness. All of these however are difficult to measure and prove to be ineffective as organizations continue to be compromised via social engineering or phishing. This discussion quickly fell into two camps:
- Recognize the human element as the weakest link in the chain and ensure appropriate and innovative training is deployed to mitigate the risk.
- Stop focusing on providing training and monitoring their activity and instead trust the employees to do the right thing; making them realize they all are owners of the data and therefore responsible for any breach to the organization.
The latter discussion had an interesting analogy; the police mostly trust the majority of people to be good honest citizens and not go around killing people or committing other crimes. They do not monitor us continuously so why should an organization spend time and budget on monitoring security activity in their organization? I wonder how many organizations will take this approach?
The truth is people are human and will continue to be the weakest link and therefore organization will have to shore up their budgets to ensure that its people are as best equipped as possible. There are a whole host of new techniques including simulated phishing and gaming tools. These seem the most promising as they can provide some metrics on the success of the training based on what the user scores when playing a game.
The debate continues……