Minerva Secure

โ“ ๐™ƒ๐™ค๐™ฌ ๐™ฉ๐™ค ๐™†๐™ฃ๐™ค๐™ฌ ๐™„๐™› ๐™”๐™ค๐™ช๐™ง ๐™Ž๐™š๐™˜๐™ช๐™ง๐™ž๐™ฉ๐™ฎ ๐™๐™ง๐™–๐™ž๐™ฃ๐™ž๐™ฃ๐™œ ๐™„๐™จ ๐™€๐™›๐™›๐™š๐™˜๐™ฉ๐™ž๐™ซ๐™š

Information Security / Cyber Security Learning

Prevention is better than a cure. To help prevent a data breach, you need to first look at why these are happening and where. IBMโ€™s โ€˜Cost of a Data Breach 2022 Reportโ€™ indicates different industries getting attacked. Healthcare particularly gets hit hard.

Not only that, stolen or compromised credentials are very costly. This was the most common cause of a data breach, but it took in excess of 300 days to identify. On average, this method cost in excess of 150,000 USD for the average data breach.

So, we go back toโ€ฆ how can we prevent it? ย I then think about security training and even when you do have it, how effective is itโ€ฆ no, really, how effective is your security training (you do have security training, right)?

I was having this exact conversation with a group of professionals in the information security and cyber security space yesterday. The sheer proportion of data breaches of due to compromised credentials indicates that in general, businesses are not doing enough, it is not effective, or a combination of both.ย Iโ€™ll give you my opinion, which I am grateful to have the experience from travelling around the globe assessing companies from the smallest to the largest across many different sectors.ย This has allowed me to speak to senior Executives and also more hands on staff about security challenges.

they do not care โ€ฆ

You also need to appreciate we were looking at this from a compliance point of view โ€“ this is where the problem starts! Where companies are just looking from a compliance point of view, generally, an initial view, you could argue that:

  1. Staff know and some are lazy;
  2. Staff know, but they do not care.

So, why could I say that? Well even with security training in place, you still had:

  • developers inputting hardcoded passwords;
  • people clicking on โ€˜obviousโ€™ phishing emails;
  • stories of ransomware because someone clicking on a bad link.

But you also need to remember that when these things happen, why did these real-life instances occur? Simply going straight to the blame game is not going to help. I like to think in a way that if the staff failed at these, then really it is the business that has failed and let them down. The security awareness programme has let them down.ย So, if we look a little deeper, let us take a look at some things I have found about typical security awareness training I have come across in general. These include (but not limited to):

โŒย Security awareness training is boring:ย As an employee, itโ€™s that time of year again for you to do your annual security training. You realise it is the same content as last year (yawn) and you kind of remember the questions and responses at the end, so letโ€™s click, โ€˜Nextโ€™, โ€˜Nextโ€™, โ€˜Nextโ€™, โ€˜Nextโ€™ … ย You receive an email โ€˜Congratulations on completing your security training for this yearโ€™. Now, I ask you do you think that is effective?

โŒย Security training looks at out of date tactics:ย Your security training includes the basics such as check for misspelling, check if you were expecting an email etc. This is good, however, does not continue to go above and beyond to more relevant malicious tactics. ย Attackers are carefully wording and carefully spending time crafting great looking emails and links to fake websites that closely resemble the official sites. Not only that, but they are also timely and crafted following recent news.

โŒย They are not engaging:ย Letโ€™s face it, do you like โ€˜death by powerpointโ€™ styles, where you just read slides for the next 20 minutes?

โŒย They are not real life:ย Remember that often the training given is online or face to face within the office environment. Itโ€™s a safe environment. In this โ€˜laboratoryโ€™ kind of setting, we can get away with learning the basics and regurgitating what is said. Now when it comes to real life situations, it is hard to think what the right thing is to do when we rely on their human judgment. The tests regurgitate what is said, but may not help them think about real life scenarios, that may be relevant to them personally or their job.

โŒย They are not frequent:ย Do not just rely on your training to be given upon hire and at least annually People will forget.

โŒย There is no incentive:ย Does the staff member really care about your business? Itโ€™s happy smiles with them when you ask why is it important, but deep down, do they truly care? Iโ€™m not entirely convinced.

So, what can you do?

โœ”ย Effectiveness:ย First, just by asking โ€˜how effective is your security trainingโ€™, this alludes to some form of measurement.ย Consider methods to know first how many people have taken the training. Second, test them and see what the passing rate was and how you can improve this.

โœ”ย Donโ€™t make security awareness training boring:ย A good security programme will refresh the content and test them on the new content. This will help avoid, personnel skipping pages.

โœ”ย Donโ€™t just use out of date tactics:ย Make people aware about up to date and relevant tactics.

โœ”ย Make it engaging:ย ย Break up the duration of training with checkpoints, and where possible use interactions (sounds, videos, options to click etc.).

โœ”ย Make it real life:ย Make it more real. Give real life scenarios and test them. The reality is you cannot cover every single real life scenario, but give them some scenarios and ask is it option 1, 2, 3 or 4. One example: โ€œYou are travelling and you are in a coffee house at an airport named ABC, do you connect to Wi-Fi hotspot named: <option 1>, <option 2>, <option 3> or <option 4>โ€.

โœ”ย Make it frequent:ย In my life as an assessor, especially in PCI DSS, remember to do it upon hire, at least annually and useย multiple methods. Use multiple methods such as posters, weekly/quarterly newsletters about security etc. Remember basic marketing of seven touchpoints needed before the message sinks into someone โ€“ the same applies with your training. Frequency is key.

that carrotโ€ฆ

โœ”ย Give them an incentive:ย People take action because of one of two things: Pain or Gain. Pain outweighs gain. So, give the people and incentive to really understand the consequences. ย A good way is to have that carrot on a stick. One way is to make the security training personal, relevant to their home and family, and consequences if they do not practice it on a daily basis. Clicking on a phishing link, on a personal email could lead to locking out of social media accounts, leaking access of information from email compromise, later leading to password resets on their bank accounts, later leading to financial loss, identify fraud etc.ย If you want to go further, I was informed that another carrot is using financial rewards, especially in tough economic times that we live in. A financial incentive for taking and having a high score mark in security awareness training may further help increase your uptake.

Now, I heard from a penetration testing person that โ€œsecurity training does not work, Iโ€™d rather put that money in segmentation, RBAC, MFA, Chinese wall, <name another technical method> etcโ€. I would argue that is great, but you should be doing that anyway.ย Also, with all your investment in the tools and methods, phishing and ransomware could bypass on your hard effort. Security awareness is just another tool in your toolbox of defence in depth.ย That is just my view.

Hope that helps. Feel free to share if it will help someone. Until the next postโ€ฆ

Be Secure.

Minerva Secure.

#computersecurityย #cybersecurityย #informationsecurityย #infosecย #cybersecย #privacyย #itleadersย #itleadership