CyberheistNews Vol 1, #16
Editor's Corner
[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"]
[/caption]Why Do Security Training Programs Get Poor Marks?
This month is Cybersecurity Awareness Month, but few security pros are
happy with the state of security awareness training. The Dark Reading
e-zine quotes Alan Paller, director of research at the SANS institute:
"Security awareness has a bad reputation, and to be honest it deserves
it, most programs have been poorly planned or executed."
It's a known fact that many current awareness programs are not very
effective. And it's not that users are too dumb to understand all this,
it's that up to now it simply has been done wrong. IT Security people
assume that if you make users aware of the problems, they will get enough
motivation to change their behavior. Nothing is further from the truth.
The Dark Reading article puts the finger on the sore spot: "The security
world needs to take a page from the marketers playbook. "They focus on
small pieces of information that can infiltrate the human mind easily,"
Mike Murray, managing partner at MAD Security, says. "Whereas with
awareness training, we give someone 55 different topics in 15 minutes
of training and expect them to remember it and change something."
Allan Paller observed that: "Most users dont need to know how security
systems work and are administered; they only need to know the rules
they should follow to keep data safe. Concepts should be continually
reinforced by constantly retraining and updating employees."
And obviously, getting them trained once a year for a short time is
not going to sink in, especially if the repercussions for violations
don't have teeth. Training needs to start with a baseline metric,
and continue to measure user performance after training. Combine
that with tracking and potential written warnings from HR, and now
you have a program that WORKS.
The article ended off with 5 steps to effective training:
1. Communicate small bits of information that users can easily grasp.
2. Focus on what users need to know.
3. Constantly reinforce concepts.
4. Have consequences for repeat offenders.
5. Use metrics to assess effectiveness.
And guess what? That is EXACTLY the program we created for you at
KnowBe4. Our customers see a 75% drop in Phish-prone percentage right
after the training, and after two months it is close to zero.
Security Awareness Training -can- be done right. And done that way,
cuts down risk in a significant way, giving excellent ROI.
Here is the Dark Reading article:
231900073/are-users-too-dumb-for-security-awareness-training.html">http://www.darkreading.com/insider-threat/167801100/security/news/
231900073/are-users-too-dumb-for-security-awareness-training.html
Quotes of the Week
"Right is right, even if everyone is against it; and wrong is wrong,
even if everyone is for it." - William Penn, born 1644
"A bore is a person who opens his mouth and puts his feats in it." - Henry Ford
Please tell your friends about CyberheistNews! They can subscribe here:
http://www.knowbe4.com/about-us/cyberheist-news/
How To Get Management Support For Security Awareness Training?
At KnowBe4 we have found that a successful approach to getting budget,
is in itself an awareness issue. You need to communicating to management
by showing them actual phishing attack emails that made it through the
filters of your organization into an end-user inbox. At that point they
will understand that the chance of one of your employees falling for
it is pretty high if you don't continually train and test them.
Top Three Reasons Security Awareness Programs Are Effective
Lance Spitzner is a great resource over at SANS, and writes a blog
called Securing The Human. The recent posting was excellent and I'm
quoting it here in my newsletter, with the strong recommendation
you follow him on Twitter, Facebook or his RSS feed, Lance is truly
worth your time!
"When trying to communicate the value of security awareness programs to
management or other security professional, I find these three points a
good starting point.
"First, keep in mind that ultimately security awareness is nothing more
then another control. It reduces risk, it does not eliminate it.
Anti-virus does not detect all malware, firewalls do not prevent all
attacks, IDS does not report all exploits. The reason I bring this up
is sometimes people hold security awareness to a different standard.
A common example I see brought up is phishing, if you send enough
phishing emails in an organization someone will fall victim, thus
security awareness programs do not work. Yes it is true, awareness
cannot nor will it ever be able to change the behavior of all people.
In addition, sooner or later we can all be fooled (including me).
However this does not mean security awareness is a failure, this
simply means it is no different then any other control.
"Second, by reducing the common day to day human mistakes, you reduce
costs and allow your security team to focus on more key issues. Lets
take a look at the phishing example again. By reducing the number of
people that fall victim to phishing attacks, you reduce costs (just
ask your Incident Response team how often they are responding to
infected computers). This saves your organization not only response
costs, but in addition means more up time for your employees. Even
more important, reducing the number of basic or simple infections
allows your IR team to shift their focus from rogue anti-virus and
infected screensavers to more advanced and dangerous attacks. Stuff
your organization really needs to be worried about.
"Finally, and I feel most importantly, people forget that awareness
is not just about prevention. Awareness is part of the whole spectrum
of security. Once again, lets take phishing as an example. Yes, there
is a failure when ten employees click on links in phishing emails.
But what happens when one of those ten realizes that something was
wrong and then reports the incident to security. Within minutes of a
successful attack your security team is able to respond, allowing
them to not only mitigate the attack, but review and respond across
the entire organization. This can be especially effective in countering
more advanced threats, such as APT, which use the human as one of their
primary attack vectors.
"The reason I'm so excited about security awareness is so little has
been done to secure the HumanOS. I feel like we are back in the days
of NT or Windows XP SP1, just some basic steps can have tremendous
impact."
Here is the original article, with grateful acknowledgment to SANS and
Lance Spitzner. This man knows what he is talking about!
top-three-reasons-security-awareness-programs-are-effective">http://www.securingthehuman.org/blog/2011/10/12/
top-three-reasons-security-awareness-programs-are-effective
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
WOW: What 9/1000 of a second look like at Formula 1 racing. A side-by-side
comparison of Sebastian Vettel and Jenson Button at the Japanese Grand Prix:
http://www.flixxy.com/what-9-thousandths-of-a-second-look-like-at-f1-speed.htm
Zack Matere from Kenya uses Internet search to increase his knowledge
and to use it for a better life for himself and his neighbors:
http://www.flixxy.com/knowledge-through-search.htm
How a GPS works and why the satellite clocks have to be slowed down daily
by 38 microseconds due to the effects of Einstein's theory of relativity:
http://www.flixxy.com/how-a-gps-works-and-relativity.htm
Some penguins turn to a life of crime to build the perfect nest:
http://www.flixxy.com/penguin-heist.htm
"Hi, this is Michael - and this is Sven. And today we show the ultimate
trick."
http://www.flixxy.com/tablecloth-trick.htm
