Ira Winkler - Security Awareness For Dummies

The reality is that most people don’t give users and security awareness programs enough credit. Every time a user avoids clicking on a phishing message, your awareness efforts are successful. Every time a user locks up sensitive information, your awareness efforts are successful. Every time a user protects their screen from shoulder surfers, your awareness efforts are successful. These successes happen all the time.

Your users are a critical part of your organization’s system, and your efforts can significantly reduce loss. Aware users have helped organizations avoid disaster. I have personally been involved with users who have thwarted major attacks. Even when attacks have been reported after the fact, aware users responded appropriately, alerted the appropriate people, and significantly reduced the resulting loss.

The awareness programs you create can provide an immense return on investment. Just be sure that you set realistic expectations.

Chapter 2

IN THIS CHAPTER

Making compliance the goal — and nothing more

Failing to compel compliance

Overindulging in science with limited practical use

Mistaking social engineering skills for awareness expertise

Setting inappropriate expectations

Valuing products more than process

Buying into gimmicks that yield no results

Overestimating the role of security awareness

After working in the security awareness field for 30 years, I have learned the importance of knowing not only what works but also what doesn’t work. In the security awareness field, knowing what doesn’t work is almost more important than knowing what works.

This chapter helps you sidestep the problems I encountered throughout three decades spent working in security awareness. Your security awareness programs probably won’t be perfect from the start, but being aware of the red flags can definitely help you steer your program in the right direction.

Checking the box means that an organization wants to meet compliance standards and nothing more. In this situation, you will have a harder time garnering budget and management support for your efforts. To create a security awareness program that changes employee behavior, however, you need to make your case — and prove that awareness provides a real return on investment.

Sometimes the Check-the-Box mentality extends not just to the awareness program but also to the security program in general. One of my friends was hired as a CISO of a credit union. One of his first acts was to have me submit a proposal for a security assessment. The proposal met his budgetary needs and he submitted it for approval. He called me up a few weeks later to tell me that they would not be proceeding with the assessment, because his management team thought they had only $10 billion in assets and believed that criminals would never go after such a small financial organization. He went on to say that he found out that the only reason he was hired was that the auditors told the board they could not pass an audit without a CISO in charge of information security. It was no surprise when he left the organization three months later.

Clearly, an entire security program based on the principle of Check the Box presents a major threat to an organization, and, more importantly, to its customers. I use this example to highlight the point that, although an entire program being a Check-the-Box effort is a clear danger, treating any element of the program as a Check-the-Box effort represents a major risk to the entire program.

Though standards evolve, at the time of this writing, the major industry standards regarding security awareness are vague. For the most part, all they require is that an organization has an awareness program in place. The standards imply that organizations should hold annual awareness training, but they don’t specify what these trainings should entail or how to create them. As long as an organization can provide some form of confirmation to potential auditors that employees received some form of annual training, “the box is checked.” Even though auditors sometimes require phishing simulations, the standards provide no instruction for creating the simulations or performing them effectively.

In Chapter 8, I show how you can justify your efforts, even to a tough Check-the-Box crowd, by using metrics to demonstrate the value of your efforts to your organization.

Security awareness programs fail when they treat security as a should -do task and not as a must -do task. Security becomes a mere should-do task when programs seek to influence people to behave securely. These programs attempt to influence users to do the right thing by providing them with more information. Security becomes a must-do item only when users appreciate the consequences of their failings.

Consider awareness programs for sexual harassment, financial compliance, and similar issues. These programs don’t try to influence people to do the right thing — they inform users of their job requirements and the consequences of failing to meet those requirements. Failing to meet financial compliance requirements (such as properly filling out time cards, for example) can result in employees not being paid.

Compliance with a security awareness program that can prevent company operations from grinding to a standstill from a ruined computer network is something that, similarly, must be treated as, well, a must-do task. Security behaviors should be embedded within all business practices — not just added to the process. For example, when you’re authenticating a user for a system, the security checks should be, not an addition to, but rather an embedded step within the overall practice. It isn’t a separate function.

Ruining the company computer network typically has far-reaching implications that are difficult to recover from. Yet desired cybersecurity practices continue to be treated as a should-do task. If you want your awareness message to be conveyed and followed, you need to portray your message as a must-do task. In other words, proper security-related behaviors aren’t optional — they’re required, just like all other business functions. Let me be clear: I am not saying that you personally should make the behaviors a must ; good security practices are likely an organizational mandate.