Commentary Sophos Security Insights
With Shared Power Comes Shared Responsibility
Security does not rest entirely on your users' shoulders, so don't make them feel like it does
It's National Cyber Security Awareness Month, and the official theme for the month is "Our Shared Responsibility." A bit trite, perhaps, but it's a message that is all too often lacking when security professionals communicate with users in their organizations. If you've ever felt that IT or the security group is public enemy No. 1 in your workplace, it may be time to rework your trainings, presentations, and email messages to integrate the shared responsibility message.
Suppose, for example, that you're delivering training to users on how to avoid malware. The classic curriculum goes something like this: What is malware? What are the types of malware? Where does malware come from? What should you do to prevent infection?
Now think about this training from the standpoint of the user. Most likely, she has been forced to attend a training for a topic of little interest to her. She then has to sit through a dry presentation about malware, ending with a laundry list of things she's supposed to do to make things better for the company and the IT department. She has gained nothing from the training, and additional responsibility has been placed on her shoulders. No wonder she finds security annoying!
Here's a different approach, which puts shared responsibility front and center, while offering a more compelling experience for the user at the same time. Suppose you structure the talk as a walk=through of a real or simulated malware attack. During or after the walk=through, you briefly explain the things IT is doing to prevent each stage of the attack (e.g., we've installed Web filtering to try to block drive-by downloads) and where you need users to help out by doing their part (e.g., avoiding opening of unknown files).
What is the user's experience this time? Her annoyance with having to attend the training is offset by seeing something new and interesting -- a real-world attack! Instead of feeling lectured to about what is expected of her, she is shown how her actions can help contribute to a broader set of security controls. And she may even find the occasional warning from the Web filtering system less annoying now that she has seen how it can be useful in preventing a type of attack that has been vividly implanted in her mind.
We humans are social animals. It's no wonder that we respond better to "we're all in this together" than "do it because I said so." National Cyber Security Awareness Month ends on Halloween, but "Our Shared Responsibility" should remain a permanent theme in your infosec communication and training strategy.
I recently delivered a Malware 101 webinar to members of the Center for Internet Security. The hour-long presentation, now available on YouTube, is geared toward a nontechnical audience. The presentation walks through a real attack, shows how selected security tools (not brand-specific) can help defend against malware, and explores some reasons that malware still exists despite the best efforts of the security community. Along the way, it defines common terms and explains basic concepts. Feel free to show it to your users (supplemented, of course, by what you're doing to protect them and how they can help) and/or take inspiration from it when creating your own lessons.