Top 10 reasons NOT to do security awareness trainingSunday, February 3rd 2013 @ 1:18 PM (not yet rated)
In anticipation of the Government of Canada’s upcoming Security Awareness Week (Feb. 11-15, 2013), here are some possible reasons why organizations haven’t put a security awareness program in place.
1- We’re not a target – Many organizations don’t feel they are a target for today’s attackers, often because the feel they aren’t big enough to be noticed. There’s growing evidence that attackers no longer care how big you are. There are many reasons attackers might target your organization that you might not have considered. Check out the infographic produced by Brian Krebs and SANS. People need to be aware of how they might be targeted.
2- We already have good firewalls and antivirus safeguards – Technical safeguards are very important, but every technology has limitations and every safeguard has vulnerabilities (contrary to popular belief). Where those vulnerabilities occur, people need to be informed.
3- Security awareness training doesn’t work – I recently heard a CISO say this. To paraphrase them, “We train them, and then they walk out and immediately do something we just taught them not to do.” Sometimes security awareness training consists of bulleted PowerPoint slides that regurgitate the corporate security policies. This will definitely not work. To be effective, security awareness training must provide context and examples of how breaches affect corporate productivity, liability, employee morale and even product or service quality. When people are engaged to think about the information security risks in their own jobs, in terms they understand, they can be a great asset to the security program.
4- We don’t have the budget – It’s a fact of business life that the squeaky wheel gets the grease. If you aren’t forced to think about it, nobody pays attention to it. Managing risks, however, is about understanding that threats change, and you need to anticipate them. If you’ve spent your last security dollar on technology and IT Security Operations staff, nobody will be prepared for social engineering attacks, and nobody will know when to report suspected incidents when they start happening to your organization.
5- We have the budget, but we don’t have the people – If you have spent your entire security technology budget, and hired IT Security Operations staff, there’s a good chance you’ve assigned “Security Awareness Training” to the Security Team. So, security awareness training is "on the radar", but it's not being actioned due to other priorities. However, the longer the Security Team delays implementation of staff training on security risks, the more likely the Security Team is to be consumed with incident response tasks. People must be educated that their help is needed to make the Security Team more effective. [Note from the Author: Most of my clients were in this position, or headed for it, before they hired me.]
6- We can’t afford to take our staff off their primary jobs for an hour – As a by-product of the attitude that security awareness training doesn’t work, most managers don’t want their team to be wasting time when they are already under productivity pressures. So, the need for training general staff must be compelling. Some of my clients are saying that a single security breach can cost $50,000 to $100,000 (in an organization of about 2,000 people). They also say that an increasingly common cause of breaches is employees clicking on non-work-related links or attachments in email (even in their Spam folders). So, if you can prevent even one “ignorance-based click”, the return on investment for an hour of every employee’s attention is worth it. After this initiative is completed, the benefits of further awareness activities, such as functional team-based training, can be put into perspective.
7- We use linux – As with the organizations that feel their firewalls and antivirus are good enough, many organizations will rationalize some other technical factor that makes them immune from all security risks. While linux – or any other “non-mainstream” technology – is not as popular a target for hackers, in general, if your organization is a direct target or a stepping stone, you can bet the attackers will find ways around the technical obstacles and focus on your people through social engineering methods. They need to be ready to defend your information.
8- Our staff are young, and know how to manage today’s technology risks – While the younger generation is certainly more in tune with technologies like social media, they do not always think beyond their own personal sphere of influence. Witness the growing number of people who misjudge the impacts of their actions on their careers or their employers (such as the RCMP employee who accidentally tweeted that the RCMP “likes” the muppet Elmo on Saturday Night Live; or the Ontario Hockey League referee who made a disparaging tweet about the city of Sault Ste-Marie and got a huge public response). The examples are almost endless these days. So, they really need the corporate information risk environment to be put in context for them, relative to their personal actions.
9- Our staff are mature, and know how to manage all risks – The senior employees understand the importance of corporate responsibility, but often don’t realize how their good intentions can be used against them in social engineering attacks. They need to be read to identify and report - or ignore - risky situations; and not exacerbate them.
10- We aren’t an information-based organization – Many organizations that aren’t entirely Internet-based consider themselves to be less vulnerable to information security risks. Manufacturing, construction, transportation and other sectors are focused mainly on the real world products and services they produce or deliver. But almost every business now depends on the Internet and on information integrity to operate efficiently. Managers in these companies who believe they aren’t vulnerable to information security risks are among the first who should be educated about them; followed by their general staff, who are probably better able to appreciate the impacts on their jobs and productivity.
The Bottom Line
I've heard many other reasons against corporate security awareness training. Like the ones above, they often don't mesh with today's reality. They may be based on poor assumptions, or on lack of awareness at the management level of what the organization's target value and vulnerabilities are.
From my point of view, I've only ever heard good feedback on awareness programs that engage employees at the appropriate level of technical detail, and in terms to which they can relate. If any of the excuses above sound familiar, it might be worth rethinking your priorities and budgets for the coming year, with regards to Security Awareness Training.
If your organization is looking for innovative, cost-effective security awareness tools or training, please call or email me at the coordinates below; or CLICK HERE to learn more about Streetwise Security Awareness solutions.
The Streetwise Security Coach
Join the Streetwise Security Zone at:
Twitter ID: http://www.twitter.com/streetsec
To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.