Welcome!

Cloud Security Authors: Don MacVittie, Elizabeth White, Fouad Khalil, Darren Anstee, Greg Pierce

Related Topics: Cloud Security, Microservices Expo, Agile Computing, Apache

Cloud Security: Blog Post

Security Awareness Training: The Single Most Important Cost in IT Security

Targeted spearphishing is not going to go away, it will most likely increase as threat actors garner more success

Ok, ok, I know the title is a tad dramatic but hear me out on this one.

A well-known computer security professional and former NSA research scientist wrote an editorial back in July 2012 stating, "Money spent on security awareness training, is money wasted." Dave Aitel , a respected individual in the world of Computer Security and current CTO of Immunity, made this statement in light of the fact that several high profile intrusions had occurred at the hands of employees who were targeted in spearphishing attacks, some of which lacking in sophistication. I disagree with the above written statement by Mr. Aitel, I do however find the recommendations he has listed in his article to be spot on, and practical when incorporated with an educated user base.

But honestly, plunging your head into the sand does not make the problem go away. In fact, you are making a problem worse for those who pose the greatest risk to your network, your users. Targeted spearphishing is not going to go away, it will most likely increase as threat actors garner more success from these types of attacks. Technology alone cannot prevent or stop these types of intrusions; you must educate your users in a manner that highlights their importance and role on a company network. Every user poses a risk, every user is a potential victim, and every user should understand the gravity of their actions on a corporate network.

Here is another thought that had entered my mind, "How much does a security awareness program actually cost a company to implement, maintain and test?" Certainly not as much as the cost to clean up the damage from a large scale intrusion.  Oh, and add in the public's perception of your company losing PII, credit card data or even intellectual property, insurance, financial, and other consequences.  It seems like an increased investment in Security Awareness with an emphasis on actual user education would be money well spent.

I do not dispute the fact that security awareness training, as it is currently broadly implemented today, is not an effective defense against even simple spearphishing attacks targeting users. This does not mean that we simply scrap the idea of educating our users.  It means that we should improve the approach.  Attacks against users are not static, they are very dynamic, and our security awareness training should evolve as the threat changes. The user can be treated as a line of defense against spearphising attacks if they are properly armed with the information to potentially recognize an attack. Long ao when a castle was stormed by an enemy, every one was responsible for protecting the kingdom, not just the guards at the gates.

Here are some ideas to more effectively communicate and educate users within the context of security awareness:

  • Employ a dedicated Cyber Security professional to develop the security awareness training. Someone who not only understands the threats, but can interpret the real risks your company faces.
  • Create an environment for testing your employees that more accurately mimics what an outside threat would look like.
  • Perform monthly tests against your users with varying levels of sophistication.  Do not settle for a once a year mandated training that has not changed over the years.
  • Remove the standard testing style from your security awareness with questions and correct answers followed by a certificate of completion. This approach rarely works at educating your users. Instead utilize the results from your monthly tests to determine how well your employees understand the threat of attacks. Use this information to modify the approach.  Target real education.
  • Get feedback from your employees in the event that they were enticed to click on a link or open an attachment. Find out what elements of the spearphish caught them.
  • Consider providing your users with a simple way to communicate to your security team if they are suspicious of a particular email. An email address where your users can forward the potentially malicious or even suspicious email to that the security group monitors. Make sure all of your users are aware just how easy it is to report a suspect message and encourage them to report anything that they may question.
  • Finally, do not punish those users who were enticed to click on a link or download an attachment. Work closely with those who continuously fail your security awareness tests.

Helping your users to understand just how important they are to the security of your company could be the single most important step to better protecting your network.  The cost of education is likely the best money spent in effectively arming your users with the information they require to stop these types of attacks from succeeding.  Remember, it only takes one.

October is the Department of Homeland Security (DHS) National Cyber Security Awareness Month.  It is designed to engage and educate the public and private sectors through events and initiatives with the goal of raising awareness about cyber security.

For some excellent advice regarding other ways to better protect your network in the event of a successful host level intrusion, see page 2 of Mr. Aitels' article referenced above: here.

More Stories By Cory Marchand

Cory Marchand is a trusted subject matter expert on topics of Cyber Security Threats, Network and Host based Assessment and Computer Forensics. Mr. Marchand has supported several customers over his 10+ years within the field of Computer Security including State, Federal and Military Government as well as the Private sector. Mr. Marchand holds several industry related certificates including CISSP, EnCE, GSEC, GCIA, GCIH, GREM, GSNA and CEH.

@ThingsExpo Stories
SYS-CON Events announced today that Synametrics Technologies will exhibit at SYS-CON's 22nd International Cloud Expo®, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Synametrics Technologies is a privately held company based in Plainsboro, New Jersey that has been providing solutions for the developer community since 1997. Based on the success of its initial product offerings such as WinSQL, Xeams, SynaMan and Syncrify, Synametrics continues to create and hone inn...
Cloud Expo | DXWorld Expo have announced the conference tracks for Cloud Expo 2018. Cloud Expo will be held June 5-7, 2018, at the Javits Center in New York City, and November 6-8, 2018, at the Santa Clara Convention Center, Santa Clara, CA. Digital Transformation (DX) is a major focus with the introduction of DX Expo within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive ov...
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, whic...
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
Smart cities have the potential to change our lives at so many levels for citizens: less pollution, reduced parking obstacles, better health, education and more energy savings. Real-time data streaming and the Internet of Things (IoT) possess the power to turn this vision into a reality. However, most organizations today are building their data infrastructure to focus solely on addressing immediate business needs vs. a platform capable of quickly adapting emerging technologies to address future ...
With tough new regulations coming to Europe on data privacy in May 2018, Calligo will explain why in reality the effect is global and transforms how you consider critical data. EU GDPR fundamentally rewrites the rules for cloud, Big Data and IoT. In his session at 21st Cloud Expo, Adam Ryan, Vice President and General Manager EMEA at Calligo, examined the regulations and provided insight on how it affects technology, challenges the established rules and will usher in new levels of diligence arou...
In his session at 21st Cloud Expo, Raju Shreewastava, founder of Big Data Trunk, provided a fun and simple way to introduce Machine Leaning to anyone and everyone. He solved a machine learning problem and demonstrated an easy way to be able to do machine learning without even coding. Raju Shreewastava is the founder of Big Data Trunk (www.BigDataTrunk.com), a Big Data Training and consulting firm with offices in the United States. He previously led the data warehouse/business intelligence and B...
"Digital transformation - what we knew about it in the past has been redefined. Automation is going to play such a huge role in that because the culture, the technology, and the business operations are being shifted now," stated Brian Boeggeman, VP of Alliances & Partnerships at Ayehu, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"Evatronix provides design services to companies that need to integrate the IoT technology in their products but they don't necessarily have the expertise, knowledge and design team to do so," explained Adam Morawiec, VP of Business Development at Evatronix, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
The 22nd International Cloud Expo | 1st DXWorld Expo has announced that its Call for Papers is open. Cloud Expo | DXWorld Expo, to be held June 5-7, 2018, at the Javits Center in New York, NY, brings together Cloud Computing, Digital Transformation, Big Data, Internet of Things, DevOps, Machine Learning and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding busin...
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, led attendees through the exciting evolution of the cloud. He looked at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering m...
Nordstrom is transforming the way that they do business and the cloud is the key to enabling speed and hyper personalized customer experiences. In his session at 21st Cloud Expo, Ken Schow, VP of Engineering at Nordstrom, discussed some of the key learnings and common pitfalls of large enterprises moving to the cloud. This includes strategies around choosing a cloud provider(s), architecture, and lessons learned. In addition, he covered some of the best practices for structured team migration an...
Recently, REAN Cloud built a digital concierge for a North Carolina hospital that had observed that most patient call button questions were repetitive. In addition, the paper-based process used to measure patient health metrics was laborious, not in real-time and sometimes error-prone. In their session at 21st Cloud Expo, Sean Finnerty, Executive Director, Practice Lead, Health Care & Life Science at REAN Cloud, and Dr. S.P.T. Krishnan, Principal Architect at REAN Cloud, discussed how they built...
No hype cycles or predictions of a gazillion things here. IoT is here. You get it. You know your business and have great ideas for a business transformation strategy. What comes next? Time to make it happen. In his session at @ThingsExpo, Jay Mason, an Associate Partner of Analytics, IoT & Cybersecurity at M&S Consulting, presented a step-by-step plan to develop your technology implementation strategy. He also discussed the evaluation of communication standards and IoT messaging protocols, data...
SYS-CON Events announced today that Evatronix will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Evatronix SA offers comprehensive solutions in the design and implementation of electronic systems, in CAD / CAM deployment, and also is a designer and manufacturer of advanced 3D scanners for professional applications.
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...
DevOps at Cloud Expo – being held June 5-7, 2018, at the Javits Center in New York, NY – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real results. Among the proven benefits,...
@DevOpsSummit at Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, is co-located with 22nd Cloud Expo | 1st DXWorld Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait...
SYS-CON Events announced today that T-Mobile exhibited at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. As America's Un-carrier, T-Mobile US, Inc., is redefining the way consumers and businesses buy wireless services through leading product and service innovation. The Company's advanced nationwide 4G LTE network delivers outstanding wireless experiences to 67.4 million customers who are unwilling to compromise on qua...