Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/13/2017
10:30 AM
Tom DeSot
Tom DeSot
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The Sorry State Of Cybersecurity Awareness Training

Rules aren't really rules if breaking them has no consequences.

In today's dangerous cyberworld, corporations often say that cybersecurity is now a top priority for them, especially after all the massive data breaches we've been hearing about on a day-to-day basis. But one has to wonder, if that's case, why are so few companies doing cybersecurity training properly?

Sadly, the most common and detrimental thing that many companies are doing wrong when it comes to training employees on cybersecurity is a big one: they aren't doing it all.

Regardless of industry or company size, I've seen way too many companies that aren't implementing any sort of cybersecurity training, not even at employee orientation. It's also important to note that the companies that do implement security training, but only conduct it at new-hire orientation and then never mention it again, are not much better. Many companies fall into this category.

While employees are getting some sense of what to look out for when they receive training, the threat landscape changes so quickly that the information becomes obsolete within weeks or months and, without regular reminders, it's out of employees' minds quickly. In other words, the information is no longer top of mind.

Finally, very few companies are having regular cybersecurity training programs and refresher courses. I recommend companies do training updates once a month throughout the entire year, and I only know of a handful of companies that are actually doing this.

The next step after implementing a regular cybersecurity training program is to put in place policies and procedures to enforce what's learned. Again, I'm seeing almost no companies doing this, so employees aren't being held accountable for skirting proper procedures that would normally protect their company from different cyberthreats.

Results in the Real World
The longest it has ever taken for me to hack into a company's system remotely through tactics such as phishing emails is minutes. Usually, I'm already in the system 10 minutes after the phishing email has been sent. When doing on-site tests, if we properly cased the company (which a good hacker will), we are in within an hour. This is a clear illustration of the need for better cybersecurity training.

For example, at one social engineering engagement I performed at a large oil and gas company, I was able to get into the organization and gain full run of the computer network in under an hour, and no one stopped or questioned me. While they did have an information security training program in place, no one was enforcing the practices being taught. Because I could penetrate their network so quickly, the CIO had to be in the exit interview with me, though that was not the initial plan.  

Another example is from a very large retailer. During the company's cybersecurity training process, I came in to do a social engineering test on the employees. The training should have been top of mind because the employees were currently going through it — the person who let me into the office even said that she was doing training at the moment and knew she was not supposed to let people in — but then she let me in anyway. I quickly gained access to the computer network once I was in the building, and there were no repercussions to the employees. This is a key example why there is much less likelihood that employees will be mindful of security practices that the company expects them to adhere to if there is no enforcement of the rules.

Simply put, there must be some sort of policy and enforcement in place for not adhering to security policies, such as a counseling session, but I see no companies doing this. Without enforcement, employees see the training as onerous. They simply ignore what they have learned, or don't take the training at all, claiming that they're too busy.

To be effective, companies need to stop treating cybersecurity training like a box to check off for compliance purposes and take it seriously. Once that happens, employees will take it seriously as well.

Related Content:

As the Chief Information Officer of Digital Defense, Tom DeSot is charged with developing and maintaining relationships with key industry and market regulators; functioning as the "face of DDI" through public speaking initiatives, identifying key integration and service ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
KatherineM394
50%
50%
KatherineM394,
User Rank: Apprentice
6/14/2017 | 6:28:24 PM
Cybersecurity Awareness Training for U.S.
Great point! CyberTraining 365 is my recommendation for U.S. based companies. They're accredited and aligned with NICE (framework outlined by the National Institute of Standards and Technology) as well as accredited by EC-Council and partnerships with industry experts. They do both technical and awareness training.  https://www.cybertraining365.com/cybertraining/Home 
LindsayCybSafe
50%
50%
LindsayCybSafe,
User Rank: Strategist
5/24/2017 | 9:08:48 AM
Mouse clicks = sword of Damocles
Joe makes the good point - there needs to be audit-friendly, quantifiable evidence of employee cyber training to cover the CIO. Prefeferably, the most accrediated entreprise training package on offer. 

For the UK, Cybsafe does this - but for the US market I'm less sure. 
tfdj
50%
50%
tfdj,
User Rank: Apprentice
1/27/2017 | 5:23:13 PM
Re: Don't flog the peasantry.
PMerry,

Thanks for the feedback.

You are correct, the Board of Directors as well as senior management need to be held accountable as well.  Unfortunately, this is a "top down" initiative and must have senior level support in order for it to be successful. 

Again, thanks for the post, it is most appreciated.

Cheers.
tfdj
50%
50%
tfdj,
User Rank: Apprentice
1/27/2017 | 5:17:21 PM
Re: Great Article and spot on
ZSCHULER,

Thank you for the kind words, much appreciated!

Cheers!
tfdj
50%
50%
tfdj,
User Rank: Apprentice
1/23/2017 | 5:29:05 PM
Re: Don't flog the peasantry.
Joe,

Thanks for your reply!  I appreciate the feedback!

To be clear, I'm not suggesting that the only way that things can be done is by "flogging the peasantry", quite the contrary.  What I'm suggesting is that companies place the same amount of emphasis on ensuring that information security training is taking place as they do, with say, their office supply policy.  I've seen companies where an employee is taken to task for violating the office supply policy, yet when they don't complete their information security training, there's no consequence.

You are correct in that it needs to start at the top, because without C-Suite backing, the training program is more than likely going to falter and fail out of the gate.  Further, if the employees see that there are no repercussions from senior management then, by proxy, they are given carte blanche to ignore the training.

Cheers,

Tom 
pmerry
50%
50%
pmerry,
User Rank: Apprentice
1/19/2017 | 9:13:19 PM
Re: Don't flog the peasantry.
You're right. It's about accountability. If the leaders don't hold themselves accountable, they can't expect the rest of the organization to. A top down approach is needed for a successful cyber security training program and proper implementation and practice of policy.
zschuler
50%
50%
zschuler,
User Rank: Author
1/17/2017 | 8:20:09 PM
Great Article and spot on
The Author clearly knows what he is talking about.  There is actually a 3rd party service called NINJIO that seems to meet all of his requirements.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
1/14/2017 | 2:51:36 PM
Don't flog the peasantry.
Well put, but let me counter:

1) If something is everybody's job, it's nobody's job.  If employees whose primary tasks are to answer telephones or to do data entry or construct marketing plans or whatever engage in a cybersecurity failing, while there should be some remediation, instead of flogging the peasants, I propose punishing the generals -- and calling the CIO/CISO/etc. on the carpet -- because, ultimately, it's their failing.  If the front-line employees aren't properly trained and properly acting on that training, it's the trainers' fault and the fault of the people responsible for that training to begin with.

2) In a heavy-handed "flog-the-peasants" environment, employees -- even managers -- will be reluctant at best to come forward if they violate a policy that then results in a potential data compromise.  Consequently, there needs to be appropriate policy for this that doesn't use the stick so much as the carrot.  (I've written on this, for example, here: enterprisenetworkingplanet.com/netsysm/minimize-shadow-it-damage-by-encouraging-self-reporting.html ).
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...