Get real about user security training

Two exploit vectors account for the vast majority of computer security risk inside most organizations: unpatched software and social engineering. If you don’t concentrate on these two areas, you’re wasting your time.

Perfect patching may seem hard to do, but it’s a piece of cake compared to educating your users against social engineering. It takes only one idiot to infect a company.

In fact, it’s so hard to train users not to do stupid things, many defenders simply assume it can’t be done. Maybe that explains why so few resources go into user education and why most companies’ education materials are horribly outdated.

The fact that you’ll always have users who will click on anything doesn’t absolve you from trying to educate. In fact, current evidence shows you cannot be a successful defender without a top-notch user education program.

When I talk about this to customers, most agree with me, although a few respond that their user education programs are good enough — yet you can hear doubt creep in as they think more about it.

One of my favorite questions to ask is whether users have been trained to know what their antivirus program looks like when it actually finds malware. I ask this because one of the most common social engineering tricks is for malware writers to send users a fake antivirus detection warning, which encourages users to run fake antivirus software. How can we expect people to make the right decision if they don’t know what their legitimate antivirus program looks like?

I then ask a whole series of questions about the education program:

• Are users told that most malware comes from “trusted” websites they visit all the time?
• Are they instructed never to install software they’re told is needed by websites they visit?
• Are they told not to run “documents” that end up trying to install things?
• Are they instructed to contact the IT security department if they think they’ve accidentally infected their computer and there will be no repercussions for doing so?
• Are they told over and over never to share passwords among multiple websites — and are they tested on it?
• Are they aware that APTs (advanced persistent threats) often create malicious emails that appear to originate from co-workers or senior management telling them to hurry up and open documents or run executables?
• Are they frequently tested to see if they respond to fake phishing emails?

Any good user education program should cover all these topics and more. Employees should be tested and re-educated if they fail those tests.

Training for hire

Of course, you don’t have to roll your own education program. Dozens of companies out there have fully prepared, professional user education resources ready for easy deployment within your company.

I’ve tried many of these programs over the years, and I think many of them would work great in any company. But I’ve probably spent more time with KnowBe4 than any other. You have to love a company that promises to pay the ransom if your users get infected with ransomware!

KnowBe4 currently has more than 1,200 enterprise customers — and reformed uber-hacker Kevin Mitnick is the company’s “chief hacking officer.” KnowBe4 focuses on security awareness training, computer-based phish testing, and voice-based phishing (a newer method where companies call home users, claim to have detected malware, and offer to “clean up” the infection). Training can target enterprises or home users, with specific content for both. The videos, in nine languages, are all accessible over the Internet and have great production values.

Session subjects cover passwords, spam, phishing, social networking, and smartphone security. The training is accurate and relevant. I found the password session exceptional, with great advice, including the use of long passwords (20 characters or more), passphrases, multifactor authentication, and more.

KnowBe4 also has an email phishing test. Administrators can log on to an administrative console to add users and place them into groups for different phishing test campaigns, which offer administrators a selection of email templates to choose from. The test phish emails are well done and should fool a good amount of users the first time through. You can run a variety of reports using an admin console to see who has taken the various tests or lessons, as well as the current user status.

Any manager or employee participating in KnowBe4 training would find it worth the money and time. If you want top-quality user education videos and are willing to pay a reasonable price — about $10 per user per year — KnowBe4 is a great choice.

Whether you create your own user education materials or turn to a third party, good user training is essential. If what you have isn’t working, improve it. If it’s not perfect, strive for perfection. Do what it takes. If users actually internalize well-crafted training, you’ll come much, much closer to keeping the bad guys at bay.