Vulnerabilities / Threats
1/13/2017
10:30 AM
Tom DeSot
Tom DeSot
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The Sorry State Of Cybersecurity Awareness Training

Rules aren't really rules if breaking them has no consequences.

In today's dangerous cyberworld, corporations often say that cybersecurity is now a top priority for them, especially after all the massive data breaches we've been hearing about on a day-to-day basis. But one has to wonder, if that's case, why are so few companies doing cybersecurity training properly?

Sadly, the most common and detrimental thing that many companies are doing wrong when it comes to training employees on cybersecurity is a big one: they aren't doing it all.

Regardless of industry or company size, I've seen way too many companies that aren't implementing any sort of cybersecurity training, not even at employee orientation. It's also important to note that the companies that do implement security training, but only conduct it at new-hire orientation and then never mention it again, are not much better. Many companies fall into this category.

While employees are getting some sense of what to look out for when they receive training, the threat landscape changes so quickly that the information becomes obsolete within weeks or months and, without regular reminders, it's out of employees' minds quickly. In other words, the information is no longer top of mind.

Finally, very few companies are having regular cybersecurity training programs and refresher courses. I recommend companies do training updates once a month throughout the entire year, and I only know of a handful of companies that are actually doing this.

The next step after implementing a regular cybersecurity training program is to put in place policies and procedures to enforce what's learned. Again, I'm seeing almost no companies doing this, so employees aren't being held accountable for skirting proper procedures that would normally protect their company from different cyberthreats.

Results in the Real World
The longest it has ever taken for me to hack into a company's system remotely through tactics such as phishing emails is minutes. Usually, I'm already in the system 10 minutes after the phishing email has been sent. When doing on-site tests, if we properly cased the company (which a good hacker will), we are in within an hour. This is a clear illustration of the need for better cybersecurity training.

For example, at one social engineering engagement I performed at a large oil and gas company, I was able to get into the organization and gain full run of the computer network in under an hour, and no one stopped or questioned me. While they did have an information security training program in place, no one was enforcing the practices being taught. Because I could penetrate their network so quickly, the CIO had to be in the exit interview with me, though that was not the initial plan.  

Another example is from a very large retailer. During the company's cybersecurity training process, I came in to do a social engineering test on the employees. The training should have been top of mind because the employees were currently going through it — the person who let me into the office even said that she was doing training at the moment and knew she was not supposed to let people in — but then she let me in anyway. I quickly gained access to the computer network once I was in the building, and there were no repercussions to the employees. This is a key example why there is much less likelihood that employees will be mindful of security practices that the company expects them to adhere to if there is no enforcement of the rules.

Simply put, there must be some sort of policy and enforcement in place for not adhering to security policies, such as a counseling session, but I see no companies doing this. Without enforcement, employees see the training as onerous. They simply ignore what they have learned, or don't take the training at all, claiming that they're too busy.

To be effective, companies need to stop treating cybersecurity training like a box to check off for compliance purposes and take it seriously. Once that happens, employees will take it seriously as well.

Related Content:

As the Chief Information Officer of Digital Defense, Tom DeSot is charged with developing and maintaining relationships with key industry and market regulators; functioning as the "face of DDI" through public speaking initiatives, identifying key integration and service ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
KatherineM394
50%
50%
KatherineM394,
User Rank: Apprentice
6/14/2017 | 6:28:24 PM
Cybersecurity Awareness Training for U.S.
Great point! CyberTraining 365 is my recommendation for U.S. based companies. They're accredited and aligned with NICE (framework outlined by the National Institute of Standards and Technology) as well as accredited by EC-Council and partnerships with industry experts. They do both technical and awareness training.  https://www.cybertraining365.com/cybertraining/Home 
LindsayCybSafe
50%
50%
LindsayCybSafe,
User Rank: Strategist
5/24/2017 | 9:08:48 AM
Mouse clicks = sword of Damocles
Joe makes the good point - there needs to be audit-friendly, quantifiable evidence of employee cyber training to cover the CIO. Prefeferably, the most accrediated entreprise training package on offer. 

For the UK, Cybsafe does this - but for the US market I'm less sure. 
tfdj
50%
50%
tfdj,
User Rank: Apprentice
1/27/2017 | 5:23:13 PM
Re: Don't flog the peasantry.
PMerry,

Thanks for the feedback.

You are correct, the Board of Directors as well as senior management need to be held accountable as well.  Unfortunately, this is a "top down" initiative and must have senior level support in order for it to be successful. 

Again, thanks for the post, it is most appreciated.

Cheers.
tfdj
50%
50%
tfdj,
User Rank: Apprentice
1/27/2017 | 5:17:21 PM
Re: Great Article and spot on
ZSCHULER,

Thank you for the kind words, much appreciated!

Cheers!
tfdj
50%
50%
tfdj,
User Rank: Apprentice
1/23/2017 | 5:29:05 PM
Re: Don't flog the peasantry.
Joe,

Thanks for your reply!  I appreciate the feedback!

To be clear, I'm not suggesting that the only way that things can be done is by "flogging the peasantry", quite the contrary.  What I'm suggesting is that companies place the same amount of emphasis on ensuring that information security training is taking place as they do, with say, their office supply policy.  I've seen companies where an employee is taken to task for violating the office supply policy, yet when they don't complete their information security training, there's no consequence.

You are correct in that it needs to start at the top, because without C-Suite backing, the training program is more than likely going to falter and fail out of the gate.  Further, if the employees see that there are no repercussions from senior management then, by proxy, they are given carte blanche to ignore the training.

Cheers,

Tom 
pmerry
50%
50%
pmerry,
User Rank: Apprentice
1/19/2017 | 9:13:19 PM
Re: Don't flog the peasantry.
You're right. It's about accountability. If the leaders don't hold themselves accountable, they can't expect the rest of the organization to. A top down approach is needed for a successful cyber security training program and proper implementation and practice of policy.
zschuler
50%
50%
zschuler,
User Rank: Apprentice
1/17/2017 | 8:20:09 PM
Great Article and spot on
The Author clearly knows what he is talking about.  There is actually a 3rd party service called NINJIO that seems to meet all of his requirements.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
1/14/2017 | 2:51:36 PM
Don't flog the peasantry.
Well put, but let me counter:

1) If something is everybody's job, it's nobody's job.  If employees whose primary tasks are to answer telephones or to do data entry or construct marketing plans or whatever engage in a cybersecurity failing, while there should be some remediation, instead of flogging the peasants, I propose punishing the generals -- and calling the CIO/CISO/etc. on the carpet -- because, ultimately, it's their failing.  If the front-line employees aren't properly trained and properly acting on that training, it's the trainers' fault and the fault of the people responsible for that training to begin with.

2) In a heavy-handed "flog-the-peasants" environment, employees -- even managers -- will be reluctant at best to come forward if they violate a policy that then results in a potential data compromise.  Consequently, there needs to be appropriate policy for this that doesn't use the stick so much as the carrot.  (I've written on this, for example, here: enterprisenetworkingplanet.com/netsysm/minimize-shadow-it-damage-by-encouraging-self-reporting.html ).
Hacked IV Pumps and Digital Smart Pens Can Lead to Data Breaches
Dawn Kawamoto, Associate Editor, Dark Reading,  12/4/2017
The Rising Dangers of Unsecured IoT Technology
Danielle Jackson, Chief Information Security Officer, SecureAuth,  12/4/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.