It is an old mantra when it comes to IT security that the user is the weakest link, but it is one that must be addressed. Technology helps: for example, through the use of single sign on (SSO) systems with strong authentication to get around the issue of having to remember multiple usernames and passwords and/or data loss prevention (DLP) systems help prevent users from doing daft things ("do you really want to email the draft earnings statement to a journalist?")
However, another mantra is that the only real way to improve the IT risks introduced by users is better education in the way they use devices and applications - education, education, education as a aspiring UK Prime Minister Blair once opined! But how do you achieve that in an environment where the nature of risk and the technology in use is constantly changing and the acceptable risk level varies with job role? Furthermore, how do you check that any education programme is working?
One answer to the first question is enforced self-paced education where employees are required to undertake certain training modules on a regular basis and their scores are recorded. An element of competition can be introduced; poor performers and tardy test-takers can be taken to task, whilst those who stay on track can be left in peace. Such training systems are available from a number of providers with portals that allow you to set programmes by job role and benchmarks for the sort of scores that should be achieved.
Quocirca has been taking a look at a couple of the offerings and put itself through some of the training modules from one vendor. Some are fairly specialist, for example PhishMe, a vendor Quocirca met with at the Eskenzi PR IT Security Analysts' Forum earlier in 2013. As its name would suggest, it specialises in training and awareness around email, SMS etc., especially on spear-phishing (the use of tailored online communications targeted at individuals). The key thing about PhishMe's "programme" is that it does not just address training, it also helps measure success by sending spoof phishing emails and gauging changes is user behaviour as the training progresses.
Another vendor Quocirca has been speaking to is Wombat Security Technologies. Its SaaS-based systems address a much broader set of security requirements with 14 modules covering issues from data protection awareness to social engineering
It too monitors the activity of users and is able to launch simulated attacks and security incidents to test improved awareness through its newly upgraded Cyber Strength dashboard and reporting tools. Wombat cites statistics from one customer, where an initial run of a training campaign had a 35% failure rate which was reduced to 6% on the second run.
Whilst US-based Wombat does not have a direct Europe presence it does have German, French, Italian, Portuguese and Spanish versions of its products and is recruiting local partners. A global agreement with EMC's RSA security subsidiary is also active in Europe.
So, what is it like to do the training? On behalf of Quocirca, I worked through some of the modules. Here is how I got on:
· Smartphone Security - 13/16 (I was also inspired to check a couple of security settings on my mobile device during the test, for example its Bluetooth settings)
· Email Security - 24/33
· PCI DSS - 13/16
Could I do better? In fairness to me, some of the answers that I got wrong were a little subjective and many of the lost points were due to excessive caution; perhaps better than being too far in the other direction.
- "Is it safe to use make a mobile call in a restaurant?" The correct answer is "yes" apparently; it is less likely to be stolen than on the street (albeit it is unsociable to other diners). I answered that it was unsafe, as a call may be overheard (in fairness to Wombat, the section was on physical security of devices)
- "Is a bank's physical address in an email something to be wary of?" Correct answer "no". I answered yes, thinking that if it was a spoof address I may be tempted to check it first before using it for correspondence. That said there was some contact info to the right of the screen, that with hindsight I should have checked.
Anyway, no excuses, I made some genuine mistakes, overlooked some obvious things and skimped over some detail. The training was easy to understand, the graphics clear and the methodology interesting and varied and it did not feel patronising as some such training is prone to do, even for someone who is supposed to know a thing or two about IT security. I will take the tests again at some point and I expect I will do better, which is the whole point.