Think your users just don't get it when it comes to security? Senior execs may go as far to consider end-user training a waste of resources. Immunity CEO Dave Aitel famously caused a stir when he wrote an article for CSO about why you shouldn't bother. You'll just confuse them, he said. Better to focus on network threats.
But that attitude can lead to a host of problems: USB-introduced viruses, logins phished from end users who interact with convincing email bots, the hazards of the unsecured IoT, the risks of BYOD or mobile, and any other opportunity for a data breach due to poor end-user awareness and action.
How do you bridge the gap between IT pros and end users when it comes to the importance of infosec? Here are some reputable end-user training tactics.
Rob Cheyne, CEO and founder of Big Brain Security, says this is crucial to end-user training in security. How? By addressing real-world, industry-relevant cases. If you're training staff in retail, reference the 2013 breach at Target. Give them the bottom line: The cost to settle class-action claims from lenders seeking to hold Target responsible for their costs to reimburse customers was $39.4 million. Most industries have their version of this debacle, and it'll absolutely resonate.
Give Them a Compass
Discuss what attackers go after. Cheyne is typically issued a badge to enter a client's building, but he's tried to get in without presenting it in order to test their protocol. "I pretty much succeed 100 percent of the time," he says. "Once in, nobody's going to notice me. Then I get to break all the assumptions they had about their security model." If end-user trainees don't already have a good image of what attackers actually target in their organization, encouraging this exercise can prime the pump.
Wash, rinse, repeat. Employees come and go, taking all that end-user training with them. They're not always replaced either, meaning support may have even fewer staff to devote to training. It's not a one-off thing; you have to keep drilling it in. Expect to repeat yourself, but by embedding this into your onboarding process it shouldn't hinder day-to-day ops.
Show How They Become Targets
This is where end-user security training gets fun. Kevin Young, Senior Security Administrator at Utah Valley University's College of Technology and Computing, shares the demos he's presented when communicating complex topics to a non-technical audience. The key? Don't get mired in technical details. Here are some ways he got his points across:
- Weak passwords. Young set up his laptop running a password cracker in a command window. Then he minimized the PowerPoint presentation so the audience could see the password-cracking window on the side as it detected weak passwords. As he worked through each slide, he made basic comments about the logic behind this process, all while letting the passwords pop up and scroll off the screen. "They get the idea quickly," he says.
- Social engineering. Young brings an empty Cisco box to the class and pretends to struggle at the door. A student will almost always open it for him without checking his credentials. "A perfect lead in to the subject material," he says.
- Identity theft. Young shows people a caller ID spoofer, which allows users to call people while displaying a forged name. The takeaway for end users: Just because caller ID makes it look like the police are calling doesn't mean they — or any law enforcement, for that matter — are actually calling.
- Take photos. Walk around your organization and snap some discrete pictures of the office during the day. Show end users the unattended doorway, the passwords written under keyboards or those stuck onto monitors with sticky notes. These basic habits are major security weaknesses, and they should know that.
Above all else, don't assume end users understand anything. Spell it out in nontechnical terms, and once you're done, expect to do it again.