Awhile back, after we ran a post about SEA's phishing activities and DNS attacks, my old friend Dave Marcus -- director and chief architect of McAfee's Federal Advanced Program Group -- took issue with our advice that companies continue to push for better security awareness among employees and customers.
On Facebook, we had this exchange:
Marcus: Glances over what is REALLY needed and it ain't "awareness"
Me: Note that the bigger focus of the post was on the locks, etc.
Marcus: Locks is not the issue either. It's a human issue.
Me: Everything is a human issue when you get down to it.
Marcus: Yet no one really addresses that. They focus on "locks" and DNS security. Yet it's the human at the keyboard who is continually 0wned via the same vector.
Me: Yes, because they easily fall for the social engineering via such things as spear phishing. I agree "awareness" hasn't worked as intended. So my question to you is how, in your opinion, we address the human problem -- if that's even possible. And no, I'm not trying to give you attitude. Not this time, at least.
Marcus: Same way you train soldiers for battle or an MMA fighter for the ring. Actual training. Phish your employees. You cannot expect to defend yourself against phishing (or any attack) unless you are actually trained.
He made a good point. We often spend too much time on simply telling people what the threats are and what they should and shouldn't do. But we don't spend nearly enough time training them. Phishing employees is an effective exercise because in the end, the best way for someone to stop doing silly things is for them to fall into the trap and see the consequences.
Truth be told, I've written about phishing attacks for years, but still managed to fall for one a couple years ago when someone who hijacked a co-worker's Twitter account sent me a direct message suggesting someone was trashing me in a blog. It's an embarrassing episode I haven't repeated since.
That said, I believe we still need the basic awareness programs.
The debate over security awareness programs is not a new one. Dave Aitel, CEO of Immunity Inc., argued against awareness training in this CSOonline.com post last year. The column was published shortly before Black Hat, and I got an earful about it once I got to Las Vegas (I was CSO's managing editor at the time).
The views on security awareness were split down the middle. Half the conversations praised Aitel for taking the unconventional position. The rest argued that having awareness programs -- limited as they are -- is better than having nothing at all.
I sided with the latter camp, and still do. There has to be a starting point. When you face a room full of people who know absolutely nothing about security, you have to start small by giving them an overview of the threats out there and steps they can take to avoid them.
The problem is when companies don't take the next step and give people concrete training. At Akamai we constantly follow up with employees after the initial awareness talk and require ongoing rigor in everything from using complex passwords to locking a machine when stepping away from the desk.
Marcus is wise to suggest companies do things like phishing employees. As I said, falling for a trick is as concrete a lesson as you can have.
But we'll always have to start with that basic discussion, however limited it may be.