“You can’t fix stupid,” a security executive recently told me when I asked about the state of security awareness efforts inside today’s corporations. The line may elicit a chuckle, but it’s simply not true. “Fixing stupid” is exactly the intention of security training. It also happens to work.
Look no further than Facebook’s most recent efforts to help its 2 billion members reduce business risk. From all external appearances, the company is taking a two-pronged risk management approach to solving the rise of suspect actors on its social media stage.
On the first prong, Facebook is resorting to its technical prowess, in this case artificial intelligence, to arrest the proliferation of various forms of low-rent content. On the second, Facebook is relying on advertising, its money-making prowess, to educate consumers about the dangers of misguided and misanthropic content, especially information from specious sources, or bedazzled with clickbait headlines.
Meanwhile, Facebook’s security awareness message is simplistic, consisting of a 10-second video alerting watchers that “clickbait is not your friends.” A version of this is blasting its way onto billboards and other publicly visible spots, like Chicago transit platforms. The ads are a hodgepodge of every bad image and clickbait headline you’ve probably seen and kicks off with the ironic uber-message “Click me!!” Facebook knows its audience.
The Human Risk Element
Although most corporations don’t face the intense public scrutiny reserved for the social media giant, Facebook’s combo-pack approach should sound familiar to most information security professionals. It comes straight from the playbook of using technology and security awareness training to reduce risk exposure.
Even with some of the most sophisticated artificial intelligence technology powered by massively scalable data center resources, Facebook understands that culture and education matter most.
ISACA estimates that in a 5,000-employee enterprise using a spam filter with 99 percent effectiveness, the typical employee still gets 11 malicious emails each day—two of them phishing, nine of them containing malware. Or “4,015 potential breaches every year,” per employee. Technology is clearly not enough.
Revisiting Security Awareness Training
Typical impediments to a strengthened security posture through security awareness education programs include a lack of executive buy-in, which leads to a broader employee malaise; the perception that security policies can be an impediment to productivity; and the dearth of budgeting funds to support adequate training.
Facebook’s steps to inform the public about risks, even if basic, should act as a wake-up call, especially given that many organizations face only a fraction of what the social media giant contends with.
But what we do contend with is more than damaging enough. Those phishing emails? The InfoSec Institute reports that the vast majority of workers (97 percent) can’t identify them, and that one in 25 clicks on these emails.
Further, security awareness training helps against attacks: InfoSec says the 52 percent of companies that have such training report a significantly lower average financial loss ($162,000) when breached than those who don’t ($683,000).
Here are four ideas to help foster human education in your organization.
Make security awareness an ongoing process.
The InfoSec Institute report indicates that random training exercises are only mildly effective, reducing risk by 10-15 percent, while consistent training yields an estimated 40-50 percent reduction in risk.
Education programs can be creative and engaging.
Many companies are educating users in compelling ways, says Sean Duca, Palo Alto Network’s APAC CSO. Duca suggests using a combination of short videos, posters, and even contests to serve as reminders along the way. Fear-based tactics don’t work, he says, adding that “teaching employees a shared sense of responsibility” for corporate data is at the heart of security awareness training. Visual aids reinforce this message.
Other gamification tactics, such as rewards—digital badges or points that are displayed on an office scoreboard, for example—are also effective, Duca says. Even material rewards like gift vouchers won’t break the bank.
Adaptive simulation exercises are great training tools.
Because human error is such a significant factor in security breaches, Duca says, ongoing simulated email phishing campaigns are a great way to test employee response and gauge the effectiveness of training efforts.
Simulation tools can include constantly changing attack methods to keep a workforce on its toes, pursuing different outcomes (seeking login credentials or tricking users into clicking on a link, for example), and they often adapt and evolve—getting more difficult, or drilling into problem areas—based on employee response and success.
The ISACA Journal suggests that 30 percent of users will be fooled during the initial simulations, but that can be reduced to 5 percent or lower in time.
Encourage and enforce transparency.
The ISACA Journal also suggests making phishing reporting mandatory and easy to do. For example, they suggest including a “report phishing” button in all emails. Duca suggests calling out departmental groups who report fake emails, or those who don’t, not to single out individuals but to create healthy rivalry in an organization.
Spending money on security training isn’t an easy sell. One security expert I spoke with priced out a “securing the human” program for a 2,000-employee business at $16,500 for a year of hosted video training and various exercises. That’s $8.25 per user per year.
Remember InfoSec’s $683,000 average cost-per-breach for companies without human education programs versus $162,000 for those that have them? With that in mind, $8.25 per user per year is a pittance, no?