Cloud Security Authors: Zakia Bouachraoui, Elizabeth White, Liz McMillan, Pat Romanski, Yeshim Deniz

Related Topics: Cloud Security, Microservices Expo, Agile Computing, Apache

Cloud Security: Blog Post

Security Awareness Training: The Single Most Important Cost in IT Security

Targeted spearphishing is not going to go away, it will most likely increase as threat actors garner more success

Ok, ok, I know the title is a tad dramatic but hear me out on this one.

A well-known computer security professional and former NSA research scientist wrote an editorial back in July 2012 stating, "Money spent on security awareness training, is money wasted." Dave Aitel , a respected individual in the world of Computer Security and current CTO of Immunity, made this statement in light of the fact that several high profile intrusions had occurred at the hands of employees who were targeted in spearphishing attacks, some of which lacking in sophistication. I disagree with the above written statement by Mr. Aitel, I do however find the recommendations he has listed in his article to be spot on, and practical when incorporated with an educated user base.

But honestly, plunging your head into the sand does not make the problem go away. In fact, you are making a problem worse for those who pose the greatest risk to your network, your users. Targeted spearphishing is not going to go away, it will most likely increase as threat actors garner more success from these types of attacks. Technology alone cannot prevent or stop these types of intrusions; you must educate your users in a manner that highlights their importance and role on a company network. Every user poses a risk, every user is a potential victim, and every user should understand the gravity of their actions on a corporate network.

Here is another thought that had entered my mind, "How much does a security awareness program actually cost a company to implement, maintain and test?" Certainly not as much as the cost to clean up the damage from a large scale intrusion.  Oh, and add in the public's perception of your company losing PII, credit card data or even intellectual property, insurance, financial, and other consequences.  It seems like an increased investment in Security Awareness with an emphasis on actual user education would be money well spent.

I do not dispute the fact that security awareness training, as it is currently broadly implemented today, is not an effective defense against even simple spearphishing attacks targeting users. This does not mean that we simply scrap the idea of educating our users.  It means that we should improve the approach.  Attacks against users are not static, they are very dynamic, and our security awareness training should evolve as the threat changes. The user can be treated as a line of defense against spearphising attacks if they are properly armed with the information to potentially recognize an attack. Long ao when a castle was stormed by an enemy, every one was responsible for protecting the kingdom, not just the guards at the gates.

Here are some ideas to more effectively communicate and educate users within the context of security awareness:

  • Employ a dedicated Cyber Security professional to develop the security awareness training. Someone who not only understands the threats, but can interpret the real risks your company faces.
  • Create an environment for testing your employees that more accurately mimics what an outside threat would look like.
  • Perform monthly tests against your users with varying levels of sophistication.  Do not settle for a once a year mandated training that has not changed over the years.
  • Remove the standard testing style from your security awareness with questions and correct answers followed by a certificate of completion. This approach rarely works at educating your users. Instead utilize the results from your monthly tests to determine how well your employees understand the threat of attacks. Use this information to modify the approach.  Target real education.
  • Get feedback from your employees in the event that they were enticed to click on a link or open an attachment. Find out what elements of the spearphish caught them.
  • Consider providing your users with a simple way to communicate to your security team if they are suspicious of a particular email. An email address where your users can forward the potentially malicious or even suspicious email to that the security group monitors. Make sure all of your users are aware just how easy it is to report a suspect message and encourage them to report anything that they may question.
  • Finally, do not punish those users who were enticed to click on a link or download an attachment. Work closely with those who continuously fail your security awareness tests.

Helping your users to understand just how important they are to the security of your company could be the single most important step to better protecting your network.  The cost of education is likely the best money spent in effectively arming your users with the information they require to stop these types of attacks from succeeding.  Remember, it only takes one.

October is the Department of Homeland Security (DHS) National Cyber Security Awareness Month.  It is designed to engage and educate the public and private sectors through events and initiatives with the goal of raising awareness about cyber security.

For some excellent advice regarding other ways to better protect your network in the event of a successful host level intrusion, see page 2 of Mr. Aitels' article referenced above: here.

More Stories By Cory Marchand

Cory Marchand is a trusted subject matter expert on topics of Cyber Security Threats, Network and Host based Assessment and Computer Forensics. Mr. Marchand has supported several customers over his 10+ years within the field of Computer Security including State, Federal and Military Government as well as the Private sector. Mr. Marchand holds several industry related certificates including CISSP, EnCE, GSEC, GCIA, GCIH, GREM, GSNA and CEH.

IoT & Smart Cities Stories
The challenges of aggregating data from consumer-oriented devices, such as wearable technologies and smart thermostats, are fairly well-understood. However, there are a new set of challenges for IoT devices that generate megabytes or gigabytes of data per second. Certainly, the infrastructure will have to change, as those volumes of data will likely overwhelm the available bandwidth for aggregating the data into a central repository. Ochandarena discusses a whole new way to think about your next...
DXWorldEXPO LLC announced today that Big Data Federation to Exhibit at the 22nd International CloudEXPO, colocated with DevOpsSUMMIT and DXWorldEXPO, November 12-13, 2018 in New York City. Big Data Federation, Inc. develops and applies artificial intelligence to predict financial and economic events that matter. The company uncovers patterns and precise drivers of performance and outcomes with the aid of machine-learning algorithms, big data, and fundamental analysis. Their products are deployed...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...
All in Mobile is a place where we continually maximize their impact by fostering understanding, empathy, insights, creativity and joy. They believe that a truly useful and desirable mobile app doesn't need the brightest idea or the most advanced technology. A great product begins with understanding people. It's easy to think that customers will love your app, but can you justify it? They make sure your final app is something that users truly want and need. The only way to do this is by ...
CloudEXPO | DevOpsSUMMIT | DXWorldEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Cell networks have the advantage of long-range communications, reaching an estimated 90% of the world. But cell networks such as 2G, 3G and LTE consume lots of power and were designed for connecting people. They are not optimized for low- or battery-powered devices or for IoT applications with infrequently transmitted data. Cell IoT modules that support narrow-band IoT and 4G cell networks will enable cell connectivity, device management, and app enablement for low-power wide-area network IoT. B...
The hierarchical architecture that distributes "compute" within the network specially at the edge can enable new services by harnessing emerging technologies. But Edge-Compute comes at increased cost that needs to be managed and potentially augmented by creative architecture solutions as there will always a catching-up with the capacity demands. Processing power in smartphones has enhanced YoY and there is increasingly spare compute capacity that can be potentially pooled. Uber has successfully ...
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the...