Why you shouldn't train employees for security awareness
Dave Aitel argues that money spent on awareness training is money wasted
By Dave Aitel, Immunity Inc.
Instead of spending time, money and human resources on trying to teach employees to be secure, companies should focus on securing the environment and segmenting the network. It's a much better corporate IT philosophy that employees should be able to click on any link, open any attachment, without risk of harming the organization. Because they're going to do so anyway, so you might as well plan for it. It's the job of the CSO, CISO, or IT security manager to make sure that threats are stopped before reaching an employee—and if these measures fail, that the network is properly segmented to limit the infection's spread.
Here's what organizations should do instead of wasting time on employee training:
- Audit Your Periphery — Websites, back-end databases, servers and networks should be thoroughly audited on a regular basis for vulnerabilities&msdash;both by internal security personnel and external pen-testers. They should be rigorously tested against current and most likely attacks. Had Citigroup's website been tested for basic web application flaws, it could have avoided the June 2011 attack that compromised 200,000 customer accounts. This is both cheap and easy to take off the table.
- Perimeter Defense/Monitoring — Robust perimeter defenses should be in place, and regularly tested. These should be protecting the network from both intrusions and data exfiltration. Data exfiltration monitoring should also be ongoing.
- Isolate & Protect Critical Data — What valuable information does your business store in online databases? Classifying business data should be near the top of the CSO/CISO's to-do list. He or she should thoroughly examine the information stored online and locate critical data offline or behind strict network segmentation.
- Segment the Network — Segment your networks and information so that a successful cyber attack cannot spread laterally across the entire network. Had RSA done this, it might have prevented the theft of its SecurID tokens. If one employee's PC is infected it shouldn't be able to spread laterally through the entire system.
- Access Creep —What level of access does each employee have to the network and critical data? How well is this monitored? Limiting unnecessary access is another key element of an effective security posture.
- Incident Response — Proactively examine important boxes for rootkits. You'll be amazed at what you find. And finding is the first step to actually building a defense against "Advanced Persistent Threats."
- Strong Security Leadership — For a company to have a CSO/CISO isn't enough. The chief security executive should have meaningful authority too. He or she should have "kill switch" authority over projects that fail to properly account for security, and real say over security's percentage of the budget. A strong security program should have at least the same budget as the marketing department.
There's a lot of money and good feeling in running employee training programs, but organizations will be much better off if the CSO/CISO focuses instead on preventing network threats and limiting their potential range. Employees can't be expected to keep the company safe; in fact it is just the opposite. Security training will lead to confusion more than anything else.
By following an offensive security program, companies can keep their networks, and employees, protected.
Dave Aitel, CEO of Immunity Inc., is a former 'computer scientist' for the National Security Agency. His firm specializes in offensive security and consults for large financial institutions and Fortune/Global 500s. www.immunityinc.com
Read more about security awareness in CSOonline's Security Awareness section.