Page 13 - 网络防御杂志 - 2017年9月
If you read the opinions of cyber security experts, you’ll find that many believe security awareness training is a total waste of time and resources. After all, why should individual users shoulder the burden of cyber security when most don’t even understand what it is. Rather than providing higher-quality training, they argue, you should strive to create a network environment that is immune to any mistakes your users might make. And in theory, this approach makes sense. After all, most people really are clueless when it comes to cyber security, and user errors are a common cause of data breaches. Moreover, it’s easy to understand the argument that users should not be expected to consider security, as it should really be wholly the responsibility of the IT department. But here’s the thing. All of this is good in theory, but it just doesn’t translate into practice. In the real world, there’s no combination of technical controls, security products, and network hygiene practices that can completely protect users from cyber-attack . And, as a result, if you’re serious about the security of your organization, there’s just no getting around the need for high-quality security awareness training. Why Improving Awareness is a Terrible Goal A big part of the reason why most security awareness training is so bad, is that it starts with completely the wrong objective in mind. Let’s be honest, what good did awareness ever do anybody? Does being aware that we should eat healthily make us less likely to take the kids to McDonald’s on the weekend? Clearly not. What we really need to improve are security behaviors. Knowing this, we can start to think about what useful security training might look like. After all, everybody knows which poor security behaviors are the biggest cause of security incidents. Improper data disposal. Leaving laptops on trains. And, of course, accidentally clicking on links or attachments in phishing emails. In fact, according to Verizon, over 90% of all data breaches include a phishing or other social engineering attack somewhere along the line. Knowing this, you can start to make sensible, proactive decisions about the future of security at your organization. Now of course, in some cases, technical controls really are the answer. Nobody plans to lose their laptop or USB drive, but ensuring that all such devices are encrypted can dramatically reduce the potential impact of their loss or theft. Similarly, it’s reasonable to assume that no matter how good your security training is, some mistakes will still be made. Tightly controlling user access levels and implementing sensible network architecture are two ways of limiting the impact of those mistakes. But when it comes to a threat vector like phishing, technical controls can only do so much. Many phishing campaigns no longer rely on malicious software or downloads, but can still have a tremendous negative impact on your organization. BEC scams, for example, are routinely used to trick low level employees into authorizing huge payments directly into attackers’ bank accounts, and are practically immune to technological security controls. 13 Cyber Defense eMagazine – September 2017 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide.