Security training: Requirement or boondoggle?

Training is often cited as a critical component of the security puzzle because no security system is foolproof and users need to know the critical role they play. But others argue that too many security professionals rely on training as a cop out, a way to duck responsibility and blame, and that the nature of attacks today make training superfluous. 

The Experts
James Armstrong, Jr.
James Armstrong, Jr.

Chief Information Officer of The Missile Defense Agency argues that people can be the weakest link, and training is a basic requirement to help safeguard the organization. View debate

Michael Kohlman
Michael Kohlman

Information Systems Manager at Cook Group says the threats morph too fast and we can’t possible keep up, so focus the resources on something that will yield higher returns.  View debate

James Armstrong, Jr.

Training is a must have

Without security training throughout the enterprise, from end users to developers and even the C-suite, your firm puts customers, corporate information and reputation at high risk.

Case in point: An employee at a State Department of Revenue recently clicked on a malicious email link, a single act that allowed an attacker to obtain 3.8 million tax returns containing Social Security numbers and bank account numbers. Ultimately it cost over $13 million for the investigation, legal fees and purchase of identity theft monitoring services.

[ALSO: How do you keep your security workforce]

Social engineering attacks have proven time and again that people can often be the weakest link, but security training can turn the average user into a formidable asset. When users know and understand what traps to avoid (for example, untrusted websites and unknown email attachment senders) and what technologies to employ (say, using encryption tools to send sensitive information), the attack surface of the firm is greatly reduced. Savvy users are a key aspect of overall security.

But it doesn’t end with users. System developers need education and training on how to avoid the Common Weaknesses Enumeration/SANS Top 25 Most Dangerous Software Errors. These coding faults, according to CWE and the SANS Institute, are the most widespread and easy to exploit, allowing cyber attackers to take over software and steal your data. Training developers to recognize the vulnerabilities and how to avoid them will make intrusions into your systems less likely. This, in turn, gives customers more confidence in your services and your ability to protect their personally identifiable information. 

Executives need special security training, too. They occasionally want to waive or relax security measures for their productivity or their staff’s convenience; however, they are often the most likely targets since they routinely handle the most sensitive information. With the right security training, executives will appreciate and support reasonable security practices both for themselves and their organization.

Security has to be a full team effort and it is not a pick-up game. Network operations defenders have to be constantly vigilant to stay ahead of the threats. If the first time net defenders encounter an advanced threat is during a real attack, they probably will not be successful against it. But, if they have trained against similar scenarios, they will know how to defend your network and systems.

And the training must be ongoing. Today’s workforce depends on their information systems to execute their responsibilities, and these systems are increasingly under cyber attack. Regardless of a corporation’s business domain, there are cyber actors working to harm them.  They might be hackers, cyber criminals or identity thieves. Their goals could be disruption, embarrassment, blackmail, or theft of proprietary data. Cyber actors use an array of tactics and tools and are improving their attack methods. As these evolve, so must we adapt and update our defenses and training to stay ahead of the threats. 

Affordable investments in security training can prevent significant cost and damage to systems and will also ensure employees understand the consequences of lost or stolen information. We owe it to our board members, our customers, and our employees to protect what we have worked so hard to build: our corporate success and reputation.

Requirement or boondoggle? A boondoggle is a wasteful or impractical activity. What could be more wasteful than suffering the consequences of a cyber attack, losing critical data and damaging your corporate reputation due to insufficient security training? 

A knowledgeable, trained workforce will help limit the attack surface from cyber threats and help ensure we protect proprietary information, our customer’s data and successfully execute our corporate mission. 

The consequences of a cyber attack are too great to ignore. Sure, you will not be able to stop every cyber attack. But you better know and be able to prevent the most common attacks, know where your greatest risks are and how to manage these risks. Security training throughout the enterprise is a core requirement to keep the trust of your customers and employees, and to protect the firm’s hard earned reputation.

The Missile Defense Agency (MDA) is a research, development, and acquisition agency within the Department of Defense. Our workforce includes government civilians, military service members, and contractor personnel in multiple locations across the United States.

Michael Kohlman

Strictly a boondoggle

Back in 1999 Bill Plimpton did some outstanding animated shorts for GEICO around the premise that “We all do Dumb Things.”  His little cartoon character, for example, can’t resist pushing a button while standing in front of a canon, resulting in … you guessed it.  (You can still find them on YouTube if you want a laugh.)

And you know what? We all do dumb things. Whether you later chalk it up to good social engineering, distraction or the little devil on our shoulder whispering “Go on, do it,” the moment will arrive for all of us when we act unthinkingly or impulsively and pull the trigger on loaded IT weapons of mass destruction.

Examples:

*A company has an outbreak of a zero-day malware that makes it through three layers of content filtering (cloud-service, mail server, desktop) to approximately 1,000 mailboxes. From a social engineering standpoint the email looked legitimate and the typical recipient involved was fairly well-trained about unsolicited emails with attachments. Only seven people opened the attachment, which from an educational ROI viewpoint is a 99.3% success rate. Yet it still involved dozens of hours of clean-up by support staff.
*A legitimate, respected, and highly-visited web site was compromised with a Java script-based application. While the malware was intercepted by one of two security systems, there were repeated attempts to return to the URL after every block/clean warning received because most visitors to the site considered it to be above reproach. In this case, while there was a good outcome, no end-user training I can think of would have prevented an infection from a trusted source. 
*A family member who had been “trained” to the point where they have not compromised their system for several years gets a shipping notice from Amazon during the holidays, where they had items on order. Only it wasn’t UPS or Amazon that the tracking link went to. Bury this in a pile of legitimate notices and even the most educated person is liable to make a mistake.

From a security standpoint these moments will never end, and no one has the budgetary resources to ensure we will get 100% never-going-to-do-a-dumb-thing compliance at the end-point level.

[ALSO: Security training 101]

As IT leaders we cannot train for this. Statistically the odds are against us and the amount of resources that can be devoted to IT security will always be finite in nature.

Instead, these resources should be devoted to areas of focus that will yield higher returns. Three examples with a far higher ROI come to mind:

*Border control and monitoring: Almost no operation today can deploy an “air-gap” defense (and as Stuxnet proved, even a physically isolated network can be breached), but since the vast majority of compromise efforts today are focused around establishing links back to remote Command and Control systems, payoff can be had by monitoring the entry/exit point for those communications.
*Instituting integrated security practices in all internal software development initiatives: A huge return can be gained by training development and deployment teams to vet and ensure all code is secure before being rolled out. You can also get a big bang for the buck by ensuring the deployment team is educated in the OS and Application Layers, that good communication channels are established and that update plans exist when flaws are discovered.
*Defense-in-depth: Still the old standby and one of the best ways to ensure that, should a compromise occur, there is more than one detection and mitigation method in place.

Lastly, IT should make friends with HR. Because while I believe allocating IT resources to user education is something of a boondoggle, most HR functions already have orientation and continuing education programs in facility security, crisis management and procedures and policies.  This is the group that is best equipped to handle the organization-specific education of things, such as the appropriate use of company resources.

The security role is a thankless one, largely because, while the war can be won, battles will continue to be lost along the way. We need to get past that fact and acknowledge that a large part of security is going to be an investment priorities issue where we have to decide what is giving us our best bang-for-the-buck.. Once that is done I believe it becomes clear that investing significant resources in trying to educate people about how to use IT securely is not the way to go given the number that will eventually do a “Dumb Thing.”

Since 1963, Cook Group companies have been among the leaders in developing healthcare devices that have improved lives around the world. The COOK corporate family also includes companies that manufacture specialized industrial parts and offer commercial services in the travel, real-estate development and management, and retail fields.

Want more Tech Debates? Check out our archive page

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies