A significant part of a company’s security strategy is often conducting IT security training for users. But those attempts to raise awareness rarely help organizations avoid attacks, according to one security expert.
In some ways, a company’s employees are its first line of defense against cybercriminals and other threats. Many attacks are carried out by cracking a user’s poorly chosen password, infiltrating the network using malware on a user’s machine, or otherwise exploiting some mistake or negligence on the part of a user.
In fact, 78% of companies experienced at least one data breach blamed on malicious or negligent employees in the past two years, according to a Ponemon Institute study released in March.
Dave Aitel, CEO of security firm Immunity, Inc., doesn’t dispute the fact that users are often to blame for security incidents. But he does argue that increasing IT security training isn’t going to change anything.
In a post at CSO Magazine, Aitel lists several famous data breaches that occurred through phishing attacks targeting users — including breaches at eBay, Google and even IT security vendor RSA. Those are well-known, tech savvy companies with employees who have most likely received top-notch IT security training.
Therefore, Aitel concludes, there’s no evidence that IT security training has any impact on actual security. He also points to a phishing experiment conducted at West Point in 2004. Cadets underwent four hours of IT security training and later were sent a benign phishing email. Despite the extensive training, 90% of them still clicked the link.
Aitel recommends organizations stop wasting time and other resources on training and instead focus on technical controls to keep threats from reaching users — such as segmenting the network, monitoring traffic, limiting access and conducting audits.
IT security training: One piece of the puzzle
Of course, not everyone agrees with Aitel’s assessment. Many of the comments on his post point out that while there may not be any statistical evidence on the effectiveness of IT security training, Aitel also has no evidence that the number of successful attacks would have been the same without training.
Also, as some commenters point out — and as many IT professionals would agree — no organization will ever be 100% technically secure. Likewise, no workforce will ever be 100% immune from being tricked, regardless of how much training they receive.
A better goal for organizations would be to combine awareness and training with technical controls to prevent as many attacks as they can.
Also, training should focus on changing users’ mindsets as much as educating them — in other words, IT must tell people what they should do, as well as get them to want to do it.
That’s not easy, especially because every audience is different. But strategies worth trying include:
- Mix in advice on how users can keep their personal information safe and prevent identity theft — that may help get people’s attention.
- Conduct in-house attacks to prove to over-confident users that they are also vulnerable to security threats.
- Show statistics on how much money businesses lose due to security incidents — and, if applicable, mention past incidents at your company and explain the damages that resulted.
- Train managers first and get them to stress to their employees that security is part of their jobs.
- Ask for input when developing security strategies — people will care more about a plan they helped come up with, and as users become more tech savvy they might have good ideas to offer, too.
- Take any chance you get to remind users about security — anytime a user interacts with an IT is opportunity to offer some kind of lesson or make a connection to a security-related topic.
- Offer warnings about current security issues — for example, emailing a warning about a new malware or phishing scam will help prevent those specific attacks and keep security fresh in people’s minds.
What do you think — is IT security training a waste of time? What has your organization done to improve training? Share your opinion and experiences in the comments section below.