Security Awareness Training: A Waste of Time?
"[M]y company [Red Cliff Consulting] has conducted numerous social engineering exercises for Fortune 500 companies whose success relies heavily on the protection of intellectual property.
These exercises involved scripted telephone calls to the organizations' customer service departments and mass phishing emails targeting a randomly selected set of employees. The objective was to collect sensitive data, the results were astounding.
627 of the 1000 people targeted by 'spear phishing' emails (aimed at pilfering the employees' corporate VPN credentials) succumbed to the attack and only 4 of the 373 that did not respond reported the issue to information security staff.
It's not so much those statistics that made the results astounding; but the fact that all these organizations had recently conducted user awareness workshops that addressed the threats posed by social engineers."
Wow. Maybe their Human Firewall was down?
I crack myself up. Anyway, Rohyt mostly blames the staff who offer security awareness training:
"[T]he information security staff must assume the onus of taking the initiative of developing innovative user awareness programs that pique the employees' interest. The majority of the security awareness sessions I attended were unstimulating affairs couching the do's and don'ts of security."
I think it is time to face the fact that security awareness training is generally a waste of time. Trainers can stand on their heads and juggle flaming swords, and some attendees will take a nap. People who handle the most sensitive classified data in the world will happily click on the dancing donkey that appears in their inbox. All it takes to suffer an internal compromise is for one of Rohyt's 1000 respondents to provide their corporate VPN credentials.
In the remainder of Rohyt's article, he does provide good guidelines for improving the quality of security awareness training. However, there is no way to achieve 100% compliance with security policies and sound practices.
So what is my answer? The people with the best capability to address the problem must be given the authority and resources to do so. Those people are the information security staff. They should have the power to remove administrative accounts from normal desktop users. The should have the resources to deploy a proxy to filter and block malicious inbound and outbound traffic. Their concerns should not be sidelined in order to meet "business requirements."
Disagree with me? Well, there are many aspects of business that individual employees should care about. The quality of their work environment is important. I have worked in numerous buildings with asbestos and water problems (thanks .mil). Was it my job to become an environmental engineer? Corporate financial health is another important aspect of a business. Should employees receive accounting training?
Speaking of business concerns: am I the only person who is sick of hearing media pundits tell technical people we need to spend more time and effort understanding "the business?" There are only so many hours in the day. Who is supposed to understand the technical issues facing an organization if we are also tasked with making business decisions?
Why don't I read about business managers being advised to understand TCP/IP?
This is called division of labor, and it's what enables companies to scale to their present size. I am forced to perform business and technical functions by virtue of the size of my small company. As a person who enjoys technical issues, I am not pursuing business issues by choice!
What do you think?