It is now common knowledge across the information security industry that human weaknesses, not technological flaws, are what put enterprises most at risk from cyber attacks.
But, it is apparently not common enough throughout the enterprise sector. A recent report by Enterprise Management Associates (EMA) found that 56% of workers may not receive any security awareness training (SAT) at all.
The report, titled "Security Awareness Training: It's Not Just for Compliance," is based on a survey of 600 people working for companies ranging from fewer than 100 employees to more than 10,000.
Any doubts about the need for SAT should have been dispelled by last year's Verizon Data Breach Investigations Report (DBIR), which found that four out of five breaches were caused by stolen credentials usually the result of social engineering attacks or weak passwords. And there is abundant evidence that social engineering attacks have become much more sophisticated, and therefore successful.
Jeffrey Bernstein, executive vice president of Critical Defence, whose firm does post-breach forensic investigations, said he knows first-hand that, "more often than not a human mistake is the root cause of most successful breaches that we investigate."
He said in the social engineering element of penetration tests done by his firm, 75% of the time, "we tricked end-users into doing something they should not have done, like click a malicious link, enter a user name and password, open a malicious attachment, etc."
And that lack of training for a majority of workers shows in their risky behavior. As noted in a SecurityWeek story on the EMA report, about a third (33%) reported using the same password for work and personal devices; just over a third (35%) said they had clicked on an email link from an unknown sender; nearly two thirds (59%) said they stored work information in the cloud; and nearly as many (58%) said they stored sensitive information on their mobile devices.
David Monahan, research director, security and risk management at EMA, who defined the research criteria, noted the obvious problem illustrated by the results of the survey: "Many companies are not doing their part to educate their personnel on how to make appropriate security-focused or risk-based behavioral decisions," he said in a statement. "This creates a gap in the first line of attack their people."
Why such a lack of training? In an interview, Monahan said many companies don't see the value of SAT, "but that is often because they have very poor programs to begin with. They do not use best practices and often take a check-the-box' approach. Awareness training performed as a seminar, aka death by monologue' or death by PowerPoint,' will not get the attention and retention needed to affect change."
Jon-Louis Heimerl, senior security strategist at Solutionary, agreed, noting that even at companies that do have SAT programs, a "check-the-box" mentality sends a message to workers that, "the organization does not really care, which makes the employees not really care."
Heimerl said the problem is that, too frequently, companies don't strive to make the training relevant. "True security awareness is not just an introduction to some security concepts," he said. "You have to teach employees new habits, then encourage them to support those habits, and reinforce the good habits.
"And the security training has to work for that employee in that organization. What works for Pete at Big Blue Bank will probably not work for Mary at ACME Healthcare."
[Related: 11 tips to stop spearphishing]
Another problem is the fatalistic view that training is not worth the time and expense, since all it takes is one person to click on a malicious link and the enterprise is compromised.
To that, Monahan wonders if they have the same view of Transportation Security Administration (TSA) screening at airports, when, "it only takes one terrorist to get through and blow up a plane."
While acknowledging that one mistake can cause a major problem, "the goal of the programs is to reduce the attack surface and associated risk," he said.
Heimerl acknowledges that SAT, "can be of limited value if it does not change habits. But to say, we don't do security training because someone will fail,' is a defeatist attitude. That is like saying we will stop licensing drivers because someone crashed."
Workers seem to grasp the importance of training being relevant. When asked by EMA what they considered the most important attributes for SAT, the top two choices were "easy to understand" at 66%, and "easy to apply to real life" at 61%.
So, experts say, solving the lack of effective SAT is simple, but not easy. "Most organizations undervalue SAT, and undervalue the amount of energy it takes them to do proper awareness training, and undervalue the amount of time it takes employees to take proper awareness training," Heimerl said.
The good news is that, for enterprises that are interested, there is plenty of guidance available. The Information Security Forum offers 10 principles to embed positive security behaviors into employees. They include:
- Make systems and processes as simple and user-friendly as possible;
- Help employees understand why their security habits are important;
- Motivate workers to protect the business, and empower them to make the decisions necessary to do so;
- Don't simply give orders to employees sell them on security habits;
- Use multiple departments, like marketing and human resources, to help embed security behaviors;
- Hold employees accountable by rewarding the good and confronting the bad.
Another short list comes from Lance Spitzer, training director for the SANS Securing the Human Program, who told an audience at a recent conference that the most important thing a security trainer can do is personalize it. "Don't talk about how it affects the corporation," he said. "Start with how they can protect their kids online and their own mobile device. Let them see what's in it for them."
Beyond that, he said, the key principles are to keep it brief and focused on limited topics, and reinforce it with repetition but not too much repetition.
The EMA report validates that, noting that, "studies on learning effectiveness indicate that training is better in shorter sessions with repetitive content that students can practice while they learn." The report recommended that training be conducted at least quarterly since, "a simple piece of information must be heard at least three times by the average person to be able to recall it in short-term member, and up to 20 times to commit it to long-term memory."
To those recommendations, Bernstein added that it is crucial that SAT programs, "include content specific to the company's policies and procedures. This should typically include social media, acceptable use, data retention, and bring your own device policies when applicable."
Heimerl has similar advice. "Make sure that your SAT accounts for your people, the way they work, the culture of your organization, and your organization itself," he said. "Yes, that means it is harder since you can't just copy what someone else does."
That, he said, means using specific examples that will make the training, "as un-theoretical as possible. Use a phishing email that someone in your organization received. Use an example of social engineering that someone in your organization experienced."
Finally, he said there are creative ways to promote security. In one firm, he said, the CEO was trying to get people to wear their employee badges, to improve physical security. He sent an email saying he expected employees to challenge anyone not wearing a badge. He then walked around the building without his badge on, and when a low-level worker challenged him, he gave him a $100 bill. It happened twice more on his walk.
"By the end of the day, the stories of the $100 bills had circulated around the company and they evolved to near 100% compliance in about three hours," Heimerl said. "It cost them about 30 minutes of the CEO's time and $300. That may have been the best $300 they ever spent."