Chris Clements, VP of Solutions Architecture
One of my biggest pet peeves is compulsory activities that not only don’t make a meaningful difference but can be actively harmful. In education it can be rote memorization without learning concepts or context. In sports, static stretching that for many years was considered a requirement for avoiding injury, actually lowers muscle strength and increases the risk of injury. In cybersecurity, our example could be a tabletop exercise that doesn’t actually game out how real breaches happen. Then everyone pats themselves on the back and goes home not actually having accomplished anything of substance. Call it “cargo culting”, “zombie ideas”, or “detrimental best practices,” these activities range from annoying to actively counterproductive. Lately though, it seems like some in the cybersecurity field are lumping security awareness training – especially phishing simulations – into this category.
Common criticisms include that it’s like teaching people to swim by occasionally pushing them into a pool filled with rubber sharks. Sure, it might seem like a good idea at first, but it’s not without its issues. For starters, it can give folks a false sense of security, like thinking you’re ready for the Olympics after doing a few laps in your backyard pool. Then there’s the morale problem – nobody likes feeling like the office dunce when they fall for a fake email. It’s about as fun as realizing you’ve had spinach in your teeth all day after getting out of an important meeting. Yet another argument I’ve heard is that cybercriminals are more persistent than telemarketers during dinner time, and they only need to get lucky once. So, while training is great and all, expecting it to create an impenetrable human firewall is like expecting a chocolate teapot to hold hot water – it’s just not gonna happen. And look, I get it. It is true that nothing is perfect and done poorly, almost any type of training can be useless, but I object to the notion that the practice of phishing simulations fit into this category innately for one big reason: frequency.
Cinema aficionados know that the best defense for the ole “double eye poke” gag is a flat hand sideways in front of your nose, but I doubt many of us get a lot of practice being ready to zip it in place for a timely block because, well, we don’t regularly have Moe Howard popping in from around the corner. The problem is that with phishing, many users are going to run into not just run into Moe, but also Larry, Curly, and Shemp for good measure every single day. Regardless of the business you are in, where you are located, how large your organization is, or what technology you use, phishing is very likely to be the number one attack technique directed at you. Phishing unfortunately has a mix of ease and effectiveness that make for a compelling vector for threat actors. Why spend the time and effort to buy or develop a new exploit when you can generate and send millions of phishing emails? Sure, most are likely to get flagged by spam and email security systems, but sooner or later you can be confident that one will land in an unsuspecting user’s mailbox, and sooner or later you know you’ll fool a user into opening your malicious attachment or giving you sensitive data like their login information. For most organizations, most of the time, the main initial vector for compromise is phishing and it’s not even close. The numbers vary across different companies, but past Deloitte estimates imply that phishing is the initial access vector for a whopping 91% of cyber breaches.
The only other analogy that I can think of where the main contributing factor that didn’t get taken seriously enough for a long time is seatbelts. For years after their introduction, many people didn’t want to wear them citing issues with comfort, wrinkling clothes, or fears of being trapped in an accident. While these complaints are real, the frequency of driving fatalities that could have been prevented by wearing a seatbelt properly was staggering, but at the same time, adherence to using them was low. But then something interesting happened. When the news would report on a traffic accident, they started adding in language about whether or not the car’s occupants were wearing seatbelts or not. Over and over it seemed like anytime there was serious injury or worse, the common thread was that the vehicle’s occupants were not wearing seatbelts. Combine that with other awareness campaigns and even compliance laws, and now it is rare to encounter situations when putting on the seatbelt isn’t an immediate step before traveling in a car. No, seatbelts weren’t a complete panacea. We still needed to make cars safer, and add additional safety features like airbags, but the simple step of encouraging passengers to “Click It” resulted in a staggering drop in serious outcomes from auto accidents.
Because of the frequency of phishing attacks landing in user mailboxes and the severity of the consequences of a user falling for a lure, any improvement at all can make the difference between an organization suffering a breach.
Quality Matters: To get the most out of your training, it’s crucial to be thoughtful on how organizations approach awareness training…
Do:
Don’t:
My team and I spend a lot of time with our clients coming up with the best ways to prepare their employees for the eventual real phishing email that will turn up in their inbox. We’ve had our greatest successes with organizations that treat their colleagues like adults who are part of the solution to keeping their workplace secure. By giving them regular exposure to convincing fraudulent emails, the right incentives to think before they click, and the occasional “neon sign” blaring at them, we have seen phishing test scores rise. No swimming test required.
Chris Clements, CISSP, CCSA, CCSE, CCSE+, CCSI, CCNA, CCNP, MCSE, Network+, A+, began working in the information security field in 2001, and has a wide range of experience with information security technologies including:
Chris is also an expert in information security design, security compliance, and penetration testing (ethical hacking) techniques such as:
He has worked to secure hundreds of customers across North America, from Fortune 500 companies with billions in revenue to small businesses with just a few users. He has developed in-depth security auditing and penetration testing products and service offerings and engaging end-user security awareness programs. Chris also enjoys teaching and has led courses on information security for hundreds of students. With his unique skill set and background in both technical operations and business management, Chris has strengths in business management, sales, and product and service delivery.
The post Is End-User Cybersecurity Training Useless? Spoiler Alert: It’s Not! appeared first on CISO Global.
*** This is a Security Bloggers Network syndicated blog from CISO Global authored by hmeyers. Read the original post at: https://www.ciso.inc/blog-posts/is-end-user-cybersecurity-training-useless-spoiler-alert-its-not/