Small Business Defense – User Training

There was a general belief in the security community many years ago that user training was the only way to address security issues. Then we got slammed by tons of viruses and users all over clicked on links and ran attachments, basically doing exactly what we had all told them not to do. After spending weeks cleaning up the mess, the security community had a change of heart and basically took the stance that user training was a waste of time, and that we need better technology.

Well, it’s time to change this again. The technology doesn’t work. Sure, the technology is great for general threats. It’s good to keep certain applications from running. It keeps many network-based threats at bay. It can even be used to make the organization a bit more agile without too much risk.

However, it all comes down to one thing. No technology is smarter than a person, so everything we build tends to have a process somewhere that allows a person to override the security and effectively say “do it anyway”. Sure, we limit this ability to trusted people. Your executives’ time is highly valuable, so they may have local admin rights to avoid having to wait for help desk people. Your admins may need to bypass security controls to get their jobs done. There may not be many, but, in any organization, there are generally a few “special” people that are outside of the security system.

This makes the highly vulnerable to spear phishing attacks. All an attacker has to do is identify the special people, research them on the Internet, and send them an email that gets them to run something outside of the security controls. Then it’s all over.

There is only solution to threats that bypass the entire security system, and that is to build a new security layer to intercept the threat. Sadly, given the way people have to work, there is only one place to put this security… and that’s in their brains.

Any action that a high-profile person takes is, at minimum, reviewed and considered by their brain prior to it being done. Thus, the last layer in a security architecture has to be the people themselves.

No, don’t waste your time training the average user not to click on links or run attachments. Instead, deploy technology that makes these actions impossible. But then, when the executives explain to you why they are special and why they need to be exempt, your answer should be “sure, but you need training”.

Mitigate the risk with user training. Make sure that they know that they are being specifically targeted. Train them and document the training. Revisit them regularly.

If you are in a position of writing policy, try to build a system where you can test them on their training. If they fail the tests, they lose the rights to circumvent the security technologies.

Remember, the goal is to protect the business. The business, as well as the threats themselves are embodied in these “special” people. It is your job to protect them, even from themselves.