Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Why you shouldn't train employees for security awareness

Dave Aitel | July 19, 2012
If there's one myth in the information security field that just won't die, it's that an organization's security posture can be substantially improved by regularly training employees in how not to infect the company.

We've also found glaring flaws--like SQL injection, cross-site scripting, authentication, etc.--in the training software used by many clients. This is more humorous than dangerous, but it adds irony to the otherwise large waste of time these applications represent.

Instead of spending time, money and human resources on trying to teach employees to be secure, companies should focus on securing the environment and segmenting the network. It's a much better corporate IT philosophy that employees should be able to click on any link, open any attachment, without risk of harming the organization. Because they're going to do so anyway, so you might as well plan for it. It's the job of the CSO, CISO, or IT security manager to make sure that threats are stopped before reaching an employee--and if these measures fail, that the network is properly segmented to limit the infection's spread.

Here's what organizations should do instead of wasting time on employee training:

Audit Your Periphery -- Websites, back-end databases, servers and networks should be thoroughly audited on a regular basis for vulnerabilities&msdash;both by internal security personnel and external pen-testers. They should be rigorously tested against current and most likely attacks. Had Citigroup's website been tested for basic web application flaws, it could have avoided the June 2011 attack that compromised 200,000 customer accounts. This is both cheap and easy to take off the table.

Perimeter Defense/Monitoring -- Robust perimeter defenses should be in place, and regularly tested. These should be protecting the network from both intrusions and data exfiltration. Data exfiltration monitoring should also be ongoing.

Isolate & Protect Critical Data -- What valuable information does your business store in online databases? Classifying business data should be near the top of the CSO/CISO's to-do list. He or she should thoroughly examine the information stored online and locate critical data offline or behind strict network segmentation.

Segment the Network -- Segment your networks and information so that a successful cyber attack cannot spread laterally across the entire network. Had RSA done this, it might have prevented the theft of its SecurID tokens. If one employee's PC is infected it shouldn't be able to spread laterally through the entire system.

Access Creep --What level of access does each employee have to the network and critical data? How well is this monitored? Limiting unnecessary access is another key element of an effective security posture.

Incident Response -- Proactively examine important boxes for rootkits. You'll be amazed at what you find. And finding is the first step to actually building a defense against "Advanced Persistent Threats."

Strong Security Leadership -- For a company to have a CSO/CISO isn't enough. The chief security executive should have meaningful authority too. He or she should have "kill switch" authority over projects that fail to properly account for security, and real say over security's percentage of the budget. A strong security program should have at least the same budget as the marketing department.


Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.