Akamai Diversity

The Akamai Blog

Security Awareness Programs: Better Than Nothing

Awhile back, after we ran a post about SEA's phishing activities and DNS attacks, my old friend Dave Marcus -- director and chief architect of McAfee's Federal Advanced Program Group -- took issue with our advice that companies continue to push for better security awareness among employees and customers.

On Facebook, we had this exchange:

Marcus: Glances over what is REALLY needed and it ain't "awareness"

Me: Note that the bigger focus of the post was on the locks, etc.

Marcus: Locks is not the issue either. It's a human issue.

Me: Everything is a human issue when you get down to it.

Marcus: Yet no one really addresses that. They focus on "locks" and DNS security. Yet it's the human at the keyboard who is continually 0wned via the same vector.

Me: Yes, because they easily fall for the social engineering via such things as spear phishing. I agree "awareness" hasn't worked as intended. So my question to you is how, in your opinion, we address the human problem -- if that's even possible. And no, I'm not trying to give you attitude. Not this time, at least.

Marcus: Same way you train soldiers for battle or an MMA fighter for the ring. Actual training. Phish your employees. You cannot expect to defend yourself against phishing (or any attack) unless you are actually trained.

He made a good point. We often spend too much time on simply telling people what the threats are and what they should and shouldn't do. But we don't spend nearly enough time training them. Phishing employees is an effective exercise because in the end, the best way for someone to stop doing silly things is for them to fall into the trap and see the consequences.

Truth be told, I've written about phishing attacks for years, but still managed to fall for one a couple years ago when someone who hijacked a co-worker's Twitter account sent me a direct message suggesting someone was trashing me in a blog. It's an embarrassing episode I haven't repeated since.

That said, I believe we still need the basic awareness programs. 

The debate over security awareness programs is not a new one. Dave Aitel, CEO of Immunity Inc., argued against awareness training in this CSOonline.com post last year. The column was published shortly before Black Hat, and I got an earful about it once I got to Las Vegas (I was CSO's managing editor at the time).

The views on security awareness were split down the middle. Half the conversations praised Aitel for taking the unconventional position. The rest argued that having awareness programs -- limited as they are -- is better than having nothing at all.

I sided with the latter camp, and still do. There has to be a starting point. When you face a room full of people who know absolutely nothing about security, you have to start small by giving them an overview of the threats out there and steps they can take to avoid them. 

The problem is when companies don't take the next step and give people concrete training. At Akamai we constantly follow up with employees after the initial awareness talk and require ongoing rigor in everything from using complex passwords to locking a machine when stepping away from the desk.

Marcus is wise to suggest companies do things like phishing employees. As I said, falling for a trick is as concrete a lesson as you can have.

But we'll always have to start with that basic discussion, however limited it may be.


Larry Brock former DuPont CISO agrees with you, while we have context-aware technology for realtime feedback and blocking, we still need the hearts and minds of our users to help.

Bill, the issue is that you and Dave never define what awareness is, or what a good awareness program is. An awareness program by definition attempts to get people to change their behavior. It is not watching a video and taking a 3 question quiz, which is security training...not awareness. Technically a phishing campaign would be part of awareness training. While I am friends with Dave, it would be interesting to see what he thinks "awareness" is.

Just like there is bad anti-virus software, which Dave is familiar with and lets the malware portion of phishing through, there is bad awareness training. I assume that Dave would not want to condemn the entire malware industry because one vendor or product lets some malware through. It is the same with awareness. Dave should not condemn awareness as a whole, because many (frankly most) awareness programs are inadequate.

It is more a matter of making awareness programs better, as these things will continue to happen...and yes I have a bias.

Bill your verdict is correct to some extent, but I think that the security awareness programs need to be more practical and approachable to create more and more people aware.I believe that these kind of programs should properly relate to the consequences of faulty options allowing the individuals its importance.

I also think it's incredibly import to set aside time to train your employees about online security awareness. How do you suggest these trainings should be taught? How frequently do we teach them?