[caption id="" align="alignleft" width="190" caption="Dave Aitel"]
[/caption]
A bunch of people asked me this, and sent me the link to Dave Aitel's blog post which he titled: "Why you shouldn't train employees for security awareness".
Yeah, you read that right: "shouldn't" is what he said. I was highly entertained by the article. I kind of have to admire him, the guy's got guts to play the advocate of the devil and take the losing side of the debate. He continued with: "If there's one myth in the information security field that just won't die, it's that an organization's security posture can be substantially improved by regularly training employees in how not to infect the company." Well he sure knows how to start a blog post with a controversial remark to get your attention!
Let's deconstruct his article, grab each assertion and see if it holds water.
First he talks about RSA getting social engineered with an infected Word Document, which put their SecureID private key franchise in jeopardy. Next he grabs a few other high-visibility examples like Google, eBay, Adobe, Facebook, and Oak Ridge National Laboratory and states that knowledgeable and trained people fall victim to phishing attacks. But were they thoroughly trained in resisting social engineering? I doubt it.
His next example is West Point where cadets were sent phishing emails to test their security. After four hours of training they clicked on an embedded link in a social engineering attack coming from a (spoofed) higher ranked officer. Hardly comparable to an office environment, not a very good analogy and so this one won't fly either.
But next, he's making IT people wrong! He states that IT asking for an end-user training program is misguided, since end-users don't have responsibility over the network, and cannot recognize or protect against threats. This is where I burst out laughing, as this statement hides his premise that "there is no patch for stupidity". Nothing is further from the truth. Employees are just as smart as IT people, their specialization is just in another field. It is eminently possible to train them and recognize threats, with visible proof it works .
He then goes on to tell about their own social engineering attacks against their customer's help desks, and states that although these people are trained and warned against social engineering attacks, the only thing that stops the pentesters are technical measures. Well, the only thing I can say to that is that the training of these help desk people must have been inadequate. It is very doable to train a person and inoculate them against social engineering. Kevin Mitnick and I have just released a brand new Security Awareness Training course which does just that with great success.
And here comes the most damaging part of his position. He states: "Instead of training employees, companies should focus on securing the environment and segmenting the network." BZZZZZZ, wrong answer! This is exactly what has been causing all the data breaches the last few years: relying on technology only. That truly is a fatal flaw, as employees are the weakest link in IT security, but can be trained to be an effective 'human firewall'. To illustrate that technology simply cannot keep up, just look at some recent research about fresh phishing attacks, which shows that "there is less than a one-in-five chance your antivirus software will detect it as bad..
The solution to this artificial controversy is simple. It's not a matter of either-or, it's a matter of doing both. Aitel conveniently omits the fact that many industries need to comply with government regulation and Security Awareness Training is a required control that simply cannot be skipped.
Now, having shot him down in flames, I have to give him credit to come up with a few very good suggestions to keep the network safe, and I would strongly recommend to look at the seven points he lists and use these as your to-do list. After you give your employees Security Awareness Training, that is!
Warm regards,
Stu Sjouwerman
Founder and CEO
www.KnowBe4.com
601 Cleveland Street
Suite 230
Clearwater, FL 33755
Direct: 727-493-5296
[/caption]A bunch of people asked me this, and sent me the link to Dave Aitel's blog post which he titled: "Why you shouldn't train employees for security awareness".
Yeah, you read that right: "shouldn't" is what he said. I was highly entertained by the article. I kind of have to admire him, the guy's got guts to play the advocate of the devil and take the losing side of the debate. He continued with: "If there's one myth in the information security field that just won't die, it's that an organization's security posture can be substantially improved by regularly training employees in how not to infect the company." Well he sure knows how to start a blog post with a controversial remark to get your attention!
Let's deconstruct his article, grab each assertion and see if it holds water.
First he talks about RSA getting social engineered with an infected Word Document, which put their SecureID private key franchise in jeopardy. Next he grabs a few other high-visibility examples like Google, eBay, Adobe, Facebook, and Oak Ridge National Laboratory and states that knowledgeable and trained people fall victim to phishing attacks. But were they thoroughly trained in resisting social engineering? I doubt it.
His next example is West Point where cadets were sent phishing emails to test their security. After four hours of training they clicked on an embedded link in a social engineering attack coming from a (spoofed) higher ranked officer. Hardly comparable to an office environment, not a very good analogy and so this one won't fly either.
But next, he's making IT people wrong! He states that IT asking for an end-user training program is misguided, since end-users don't have responsibility over the network, and cannot recognize or protect against threats. This is where I burst out laughing, as this statement hides his premise that "there is no patch for stupidity". Nothing is further from the truth. Employees are just as smart as IT people, their specialization is just in another field. It is eminently possible to train them and recognize threats, with visible proof it works .
He then goes on to tell about their own social engineering attacks against their customer's help desks, and states that although these people are trained and warned against social engineering attacks, the only thing that stops the pentesters are technical measures. Well, the only thing I can say to that is that the training of these help desk people must have been inadequate. It is very doable to train a person and inoculate them against social engineering. Kevin Mitnick and I have just released a brand new Security Awareness Training course which does just that with great success.
And here comes the most damaging part of his position. He states: "Instead of training employees, companies should focus on securing the environment and segmenting the network." BZZZZZZ, wrong answer! This is exactly what has been causing all the data breaches the last few years: relying on technology only. That truly is a fatal flaw, as employees are the weakest link in IT security, but can be trained to be an effective 'human firewall'. To illustrate that technology simply cannot keep up, just look at some recent research about fresh phishing attacks, which shows that "there is less than a one-in-five chance your antivirus software will detect it as bad..
The solution to this artificial controversy is simple. It's not a matter of either-or, it's a matter of doing both. Aitel conveniently omits the fact that many industries need to comply with government regulation and Security Awareness Training is a required control that simply cannot be skipped.
Now, having shot him down in flames, I have to give him credit to come up with a few very good suggestions to keep the network safe, and I would strongly recommend to look at the seven points he lists and use these as your to-do list. After you give your employees Security Awareness Training, that is!
Warm regards,
Stu Sjouwerman
Founder and CEO
www.KnowBe4.com
601 Cleveland Street
Suite 230
Clearwater, FL 33755
Direct: 727-493-5296
