Security Awareness For Dummies. Ira Winkler

Читать онлайн.
Название Security Awareness For Dummies
Автор произведения Ira Winkler
Жанр Зарубежная компьютерная литература
Серия
Издательство Зарубежная компьютерная литература
Год выпуска 0
isbn 9781119720942



Скачать книгу

that entire security team to reduce loss. In a coordinated cybersecurity department, each team determines their part in reducing losses related to user actions and takes the appropriate actions. Likewise, each team determines how best to support each other in the overall reduction of user-related losses.

      As a security awareness professional, you can be the tip of the spear in coordinating a comprehensive solution to reducing user-related losses. Your primary focus is to create behavioral improvements that reduce the initiation of losses.

      The section heading might anger a lot of security awareness professionals, but I see the idea of the human firewall as a dangerous myth. The idea that users are your last line of defense (which is a catchphrase for many phishing simulation companies) is fundamentally wrong.

      First, consider that users are not the last line of defense in any practical way. For example, if a user clicks on ransomware, the user environment can stop the user from downloading malware by not giving the user permission to install software. Even if the software is downloaded and installed, antimalware can stop the ransomware. To accept that the user is the last line of defense, you have to discount many useful technologies that are commonplace in organizations.

      Michael Landewe, the CTO of Avanan, said it best:

      If a user is our last line of defense, we have failed as an industry.

      Consider also that although other technologies do only what they’re instructed to do, humans can have malicious intent. If you leave your users as your last line of defense and they’re malicious, the results will be disastrous.

      I want you to create the best security awareness programs possible, but you need to remember where you fit within the overall chain of actions. If you give the impression that the user has ultimate control of your systems, then the first time a user fails, you fail in your self-described mission, which can damage the credibility of your program. Consider that you don't even see people who manage firewalls imply that their firewalls will stop all attacks from getting in. If you spout off to management that you will create a human firewall to repel all attacks targeting humans, then the first time a user fails, your program has failed based on your statements. Everything else you do will be met with skepticism, including requests for budget funds, personnel, time, and other resources. Don’t set yourself up for failure from the start.

      The reality is that most people don’t give users and security awareness programs enough credit. Every time a user avoids clicking on a phishing message, your awareness efforts are successful. Every time a user locks up sensitive information, your awareness efforts are successful. Every time a user protects their screen from shoulder surfers, your awareness efforts are successful. These successes happen all the time.

      Your users are a critical part of your organization’s system, and your efforts can significantly reduce loss. Aware users have helped organizations avoid disaster. I have personally been involved with users who have thwarted major attacks. Even when attacks have been reported after the fact, aware users responded appropriately, alerted the appropriate people, and significantly reduced the resulting loss.

      The awareness programs you create can provide an immense return on investment. Just be sure that you set realistic expectations.

      Starting On the Right Foot: Avoiding What Doesn’t Work

      IN THIS CHAPTER

      

Making compliance the goal — and nothing more

      

Failing to compel compliance

      

Overindulging in science with limited practical use

      

Mistaking social engineering skills for awareness expertise

      

Setting inappropriate expectations

      

Valuing products more than process

      

Buying into gimmicks that yield no results

      

Overestimating the role of security awareness

      After working in the security awareness field for 30 years, I have learned the importance of knowing not only what works but also what doesn’t work. In the security awareness field, knowing what doesn’t work is almost more important than knowing what works.

      Checking the box means that an organization wants to meet compliance standards and nothing more. In this situation, you will have a harder time garnering budget and management support for your efforts. To create a security awareness program that changes employee behavior, however, you need to make your case — and prove that awareness provides a real return on investment.

      CHECKING THE BOX MIGHT NOT BE JUST FOR AWARENESS

      Sometimes the Check-the-Box mentality extends not just to the awareness program but also to the security program in general. One of my friends was hired as a CISO of a credit union. One of his first acts was to have me submit a proposal for a security assessment. The proposal met his budgetary needs and he submitted it for approval. He called me up a few weeks later to tell me that they would not be proceeding with the assessment, because his management team thought they had only $10 billion in assets and believed that criminals would never go after such a small financial organization. He went on to say that he found out that the only reason he was hired was that the auditors told the board they could not pass an audit without a CISO in charge of information security. It was no surprise when he left the organization three months later.

      Clearly, an entire security program based on the principle of Check the Box presents a major threat to an organization, and, more importantly, to its customers. I use this example to highlight the point that, although an entire program being a Check-the-Box effort is a clear danger, treating any element of the program as a Check-the-Box effort represents a major risk to the entire program.

Though standards evolve, at the time of this writing, the major industry standards regarding security awareness are vague. For the most part, all they require is that an organization