So the debate goes on, should we train our staff not to do stupid things with email, Facebook and Twitter? Should we spend hours teaching and reinforcing the evils of the web? Should we bother training everyone or train just those with access to sensitive information or vital systems. Or is it all a gigantic waste of time, because the bad guys manage to get in anyway?
Well, assuming I have no interest in training companies. No preferred stock, no options, nothing. Which is fine because I don’t have any of that.
So here’s what I consider a well organized training program.
- Trust no email. If you are like most of us, your email spam detector captures about 98 or 99%. That being side, it’s the other 1% that always get you. The fraction of the fraction that bites you with a phishing scam or drive-by download. RSA was undermined by a not very sophisticated spear-phishing attack, which claimed to be a spreadsheet about the corporate recruiting program.
- Trust no email. Again? Is this a typo? No, almost everyone has one or two or sometimes three web email accounts. If these are allowed to persist in your organization, how do you regulate control over them. Web email is the loose cannon that can undermine everything.
- Be wary of Twitter. Consider business only accounts in which you screen who you allow in and who not. It’s not a guarantee, but it narrows the field. Be wary of cute or funny stuff. Chances are it’s malicious.
- Same for Facebook. Use only formal business accounts for work. Do not mix business and pleasure. It’s like water and gasoline – it goes up regardless. Don’t friend everyone. That’s like lighting a match to the gasoline. Watch for uncharacteristic behavior and other signs that the account has been falsified.
- Do not give out credentials over the phone, no matter who asks for them. Don’t give them out at all. No one needs the credentials that badly. Chances are it’s simply over reaction or a clever piece of social engineering.
- Control privilege. If everyone has privilege, there is no privilege. Rein it in sharply. Use multifactor authentication in the more important cases and strong password policies (at least) where not. This is not strictly training but it undoes any good it might do if it is not applied. Use the rule of least privilege.
The follow up to every case of training is that it needs to be reinforced again and again. It sails in one ear and out the other. Back it up with a test (spear-phishing) and see who falls for it. Bet your bottom dollar its most people. Use that experience to reinforce the training as an object lesson. Rinse and repeat often to make sure the lesson has sunk in.
So, what’s wrong with this picture? Well, it shows that training must be applied relentlessly to have a positive effect. That gets expensive. I am not saying don’t do it, because I believe it can have positive effect. But weigh the cost vs the benefit. If you don’t have unlimited money (who does?) then consider carefully whether you will spend a large amount of money for an ongoing program, perhaps some stronger technology, or cleanup on aisle 4.