Most organizations don’t do enough to educate users about computer security. The main purpose of user education programs is to decrease human-factor risk substantially. If they don’t accomplish that, the whole exercise is a waste of resources.
Such programs, if they exist at all, consist of a sort of security orientation program for new employees, with an annual update and refresher course lasting 15 minutes to an hour. Occasionally, you’ll see an in-house security newsletter and/or periodic Web posts that employees might read on a slow workday.
Basically, we’re talking 30 to 90 minutes (on the high end) of security education for the entire year. Many companies have nothing -- at least nothing formal.
This lack of commitment is strange, considering the overall effectiveness of user education to stop employees from doing stupid stuff. In my opinion, doubling, tripling, or even quadrupling security education requirements and budgets should happen immediately in most organizations.
Why? Because the most prevalent, successful threats rely on social engineering, one way or another. That could be a phishing email, a rogue link, or an offer of a free download that pops up on a trusted website. In rare instances, it’s a physical phone call asking for credentials to be reset or for the person to install “needed” diagnostics software to remove malware.
The fastest and cheapest bang for your buck is user education training to counteract those threats. Unfortunately, such programs tend to focus on scenarios users will never face -- or were prevalent 10 years ago. Certainly, most education programs fail to cover the malicious tactics an organization is fighting at a given time.
What computer security training should look like
How do you do it right? First, do more of it, and do it more often. I’ve yet to meet an organization that spends nearly what it should on education, even when it keeps getting compromised by the same exploits.
I still run into IT security workers who can’t get senior management to approve “fake phishing” campaigns to root out users who need training the most. Many who went ahead without official approval have been slapped on the hands -- mainly because the fake phishing “conversion rate” was a lot higher than management wanted to hear about (or because a senior exec failed the test).
I’m a big proponent of fake phishing tests. A handful of commercial companies do it for you: You simply upload your employee email list, pick the type of fake phishing test you want to deploy, and hit Send. It’s easy and quick. Within a few hours you’ll learn if your user base is prepared for phishing attacks.
Keep conducting fake phishing tests until most of your users no longer fall for your phishing emails. It’s a great sign when your company sends out a legitimate email to employees -- and a few sharp-eyed people notice something that doesn’t look right and ask each other if the message is legit.
You’ll always have a small percentage of people who don’t get it. No matter how much education you provide, their personal phishing conversion rate remains stuck at 100 percent. I recommend taking away rights and permissions for those people. Maybe you should remove their computer.
Sound crazy? At the Department of Homeland Security, the current security chief is proposing that employees who fail real or fake phishing tests should lose their security clearances. I couldn’t agree more -- but before you take drastic action, all employees should get intense antiphishing education first. Today’s real phishing emails look quite realistic. They come from people you know, using their real email addresses, often referring to real projects under way.
Users also need to understand that if they get duped into providing credentials or installing unauthorized software, they should report it immediately. Some users are oblivious that they’ve been duped. Others know, or at least get an uneasy feeling, but don’t report it.
Why? When interviewed, people admit feeling ashamed of being fooled -- or worry they might get in trouble. You need to create a culture where “if you see something, say something” refers to self-reporting. Users need to understand that if they report an incident, they’ll be less -- not more -- likely to get in trouble.
The question that matters most
A perfect user education would communicate an organization’s biggest threats, from top to bottom, and focus on the most prevalent problems. Every month the most popular, successful threat should kick off the discussion -- followed by an explanation of how to combat it.
The success of your user education program should be measured by asking one question of every employee: What are our top threats and what can you do to prevent them? If most employees can’t answer this basic question, then your user education isn’t doing all it should.
I challenge you to do an experiment. Send out an anonymized email or survey form to all employees asking them to name the No. 1 threat to your organization. Collect the results and compare them to your actual problems. Are they in alignment? If not, why not?