I saw an interesting headline from Information Week a week or two ago, ‘Don’t Blame China for Security Hacks, Blame Yourself.’ This is the kind of article I like as it removes the ‘woe is me’ (and FUD-driven) attitude that has been so historically popular in security.
If there’s one thing I try to impress on readers here is that there are very real, and in many cases simple, steps companies can take to improving their security posture. One of the simplest things a company can do to improve its security posture is realize that breaches happen and make sure your employees understand this as well. Talking to your employees about your own breaches doesn’t happen often and would take a good amount of intestinal fortitude, but I’d argue it may be worthwhile for affecting real change inside your organization.
This is not only true for raising the awareness of non-security people, but often inside security functions as well. I was in a meeting a year or two ago where a company told our team that their last breach occurred in the 90’s. We asked them if we could test their assertion and gained Domain Admin privileges in 6 minutes (!!!) after our penetration test began. In short, we changed their awareness of how secure their organization was to outside attacks.
Real change only occurs when people know there is a benefit (or cost) to their actions. It is much more important to tell your employees that phishing cost the company $xx,xxx last quarter than to tell them not to click on phishing messages. No one intentionally clicks on a phishing message (unless they have an affinity for Nigerian princes), but everyone understands dollars, especially in a context they understand (say, the number of iPads that could’ve been raffled off to employees in a random drawing).
Likewise, awareness programs that focus on testing basic knowledge vs. testing employee behaviors have a much lower chance to make an impact to the company. It’s unlikely that you can recall the questions or answers to the last awareness quiz you took, but you’d likely remember it if you lost your computer for a couple days while the incident response team conducted a forensic analysis on it.
Once the awareness program has been flipped on its head and people understand there may be a cost to their actions, your security program will slowly gain acceptance. This will result in much better support inside the company, more aware end users and will make your job that much easier.
