In yesterday's Dark Reading, security researcher Bruce Schneier took a swipe at security training:
"If four-fifths of company employees learn to choose better passwords, or not to click on dodgy links, one-fifth still get it wrong and the bad guys still get in."
It's not every day that I disagree with the author of Blowfish, but this is one of those days.
Not Every Lapse Is Fatal
The result of a security lapse is often a mass send to an address book, the installation of a "crapware" toolbar, or another annoying but non-fatal result. Several factors help explain why this is.
- AV Filters Many Generalized Attacks: Installation of generalized malware such as trojan horses and keyloggers will usually be detected by signature or heuristic-based anti-virus packages. If these attacks aren''t stopped by your email server's AV, they will often be stopped by your desktop AV.
- Targeting Your Company Exposes the Attacker: Attacks directed specifically against your company (think disgruntled employees or competitors) often have a "social" component that identifies the perpetrator, exposing them to civil or criminal penalties if detected.
- "Need to Know" Already Protects the Crown Jewels: Senior company officials with access to the most sensitive materials will often already have better-than-average security awareness, such the ability to pick up on a suspicious inbound phone call that's part of a social engineering hack.
People Want a "Fast Computer"
What do end users complain about constantly? "My desktop/Internet/laptop/network is S-L-O-W!" My suggestion? The next time you remote in and "fix the slowness" by undoing their security mistakes, show them how keeping their computer free of crapware and toolbars (which they get from questionable sites and emails) will keep things running well.
In a classroom setting, advice like this may go in one ear and out the other. But a one-on-one while you're fixing a relatively minor problem may keep that user from being "that guy" who clicks on the link that introduces a virus or trojan down the line.
No One Wants to Be "That Guy"
Let's face it: no one wants to be "that guy," and a great way to become "that guy" is to have your email used for a spam campaign, have a NSFW toolbar added to your browser, or lose control of your home page. If someone in your department/floor/team becomes "that guy", office gossip alone alone encourages self-education (e.g., "how can I avoid what was he doing?") because no one else wants to be "the next guy." This means that if you've trained ANY percentage of your users, you'll already have local experts on teams working to train their fearful coworkers whenever a local (and usually non-fatal) security lapse occurs.
Conclusion: "Mostly Trained" Beats "Not Trained"
In the binary world of bits and bytes, it's tempting to strive for zero-tolerance policies like "train them all or nothing is safe." But the whole concept of risk-based security is based on the simple fact that an organization can never be completely secure. Like AV, regular patching, and network monitoring, user training remains one of the best practices organizations can use to mitigate risk. More training is better, but failing to reach a handful of users should not be fatal as long as you've implemented additional security controls.
What do you think - is security training worthless if you only reach 4 out of 5 people? (Tell us in the comments below!)