There’s a lot of talk in the security industry about the effectiveness of security awareness training for employees. Some highly respected members of the community have repeatedly asserted that it’s a total waste of money, and this sentiment seems to have picked up some momentum in recent years.
In our last post we discussed human vulnerability in Why Your Users Keep Falling for Phishing Scams. People generally assume anything that makes its way into their inbox is a legitimate attempt to contact them. Just because security professionals see a shady email and think ‘phishing’, doesn’t mean everybody else does, too.
The argument against security awareness training goes that since normal users have no responsibility for network security, and they don’t understand the implications of their actions, it should be down to IT to create an environment in one which can’t harm the organization.
But we disagree.
The fact is that while that is a good target to aim for, it isn’t possible right now, and probably never will be.
IT is Never Infallible
For us, this is the elephant in the room that security awareness training nay sayers repeatedly fail to address.
There are many things we can do as security professionals to keep our users and networks safe. From strong endpoint security and tight spam filters to consistent vulnerability management and a robust patching procedure, we must accept that the responsibility for network security falls squarely on our shoulders.
Since the start of 2013, a new zero day exploit has been discovered approximately once per month, meaning organizations have been at least slightly vulnerable for nearly 100 percent of that period. Almost regardless of the quality of our security programs, it has always been possible for threat actors to get through.
Spam filters are excellent… but they aren’t perfect. Security vendors usually claim somewhere in the area of 99 percent effectiveness, and while that may well be accurate it guarantees that at least some malicious emails will make it through.
And don’t even get us started on imperfect patch implementation. Every network environment is slightly different, and it only takes one tiny configuration error in one patching cycle to leave your network vulnerable.
Certainly we can make it very difficult for threat actors, maybe even so difficult that they’ll choose to find easier hunting grounds elsewhere. We should absolutely take every possible measure to keep our networks safe from attack.
But we’re deluding ourselves if we believe we can shield our users completely.
Not All Attack Vectors Can Be Prevented with Technology
Moving on from the issues with technical controls, let’s consider that some attack vectors are almost entirely resistant to technical security controls.
Take pure social engineering, for example. Whether it’s delivered via phone, email, or in-person, there are no links or attachments to scan, no direct attempts to breach your network security, and often no way of knowing in advance that the particular phone number, email domain, or person involved is malicious.
How good would your network security have to be to resist these types of attacks automatically?
And sure, you can force your users to choose passwords that can’t be easily cracked or guessed. But you can’t force them not to write their passwords down, or save their login credentials on the personal smartphone they use to browse Facebook on unsecured Starbucks WiFi.
And so far we’re talking about real state-of-the-art network security. When we enter the real world, where organizations mostly have budgets and a need to stay profitable, the problem just gets worse.
No matter how you spin it, there is no way of securing your network that guarantees your users will never be exposed to some sort of attack.
Good Security Awareness Training Works
Thankfully, the security awareness training nay sayers are wrong. You can train your users in a meaningful and measurable way.
We know this, because we do it all the time. Our employee defense training experts design and deliver bespoke multimedia training programs that help users understand not just what they have to do, but also why they have to do it.
Are you in the market for an effective security awareness training program? Be sure to read our Security Awareness Training Buyer's Guide that details the critical factors to consider when purchasing.
Our experts also craft phishing campaigns, and send them to our clients’ users. They track click rates over time, and provide additional support to users who continue to click on ‘malicious’ links.
And because of this, we know that good security awareness training works. Click rates consistently go down over time, and users are more able to identify and report phishing emails promptly as they receive more training and reinforcement.
And the thing is, you can do this, too. Whether you choose to work with a security vendor or develop the resource internally, we strongly recommend that you up your security awareness training game, and see for yourself how much your users can improve.
Don’t Hate the Game, Hate the Player
If you take anything from this article, let it be this:
Security awareness training isn’t a waste of time. Your security awareness training is a waste of time.
Now that might be harsh. After all, you’re here reading an article designed to help you improve your network security.
But if you’re currently delivering annual training designed purely to satisfy your compliance requirements, you’re letting yourself (and your users) down. Most training of this sort is tedious, unhelpful, and quickly forgotten.
Developing security awareness training that really enhances the knowledge and behavior of your users takes time, investment, and constant reinforcement. It’s a real commitment, and you must have buy-in from the very top to make it work.
But weigh that against the genuine, observable results you’ll see within months, and you’ll realize that high quality security awareness training is far from a waste of money.
We have much more to come on why people are the biggest vulnerability for most organizations, and whether it’s possible to ‘patch’ this vulnerability. Stay tuned to the blog for posts on how phishing emails will always make it through your spam filter and how you can strength your human firewall.