Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/13/2017
10:30 AM
Tom DeSot
Tom DeSot
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The Sorry State Of Cybersecurity Awareness Training

Rules aren't really rules if breaking them has no consequences.

In today's dangerous cyberworld, corporations often say that cybersecurity is now a top priority for them, especially after all the massive data breaches we've been hearing about on a day-to-day basis. But one has to wonder, if that's case, why are so few companies doing cybersecurity training properly?

Sadly, the most common and detrimental thing that many companies are doing wrong when it comes to training employees on cybersecurity is a big one: they aren't doing it all.

Regardless of industry or company size, I've seen way too many companies that aren't implementing any sort of cybersecurity training, not even at employee orientation. It's also important to note that the companies that do implement security training, but only conduct it at new-hire orientation and then never mention it again, are not much better. Many companies fall into this category.

While employees are getting some sense of what to look out for when they receive training, the threat landscape changes so quickly that the information becomes obsolete within weeks or months and, without regular reminders, it's out of employees' minds quickly. In other words, the information is no longer top of mind.

Finally, very few companies are having regular cybersecurity training programs and refresher courses. I recommend companies do training updates once a month throughout the entire year, and I only know of a handful of companies that are actually doing this.

The next step after implementing a regular cybersecurity training program is to put in place policies and procedures to enforce what's learned. Again, I'm seeing almost no companies doing this, so employees aren't being held accountable for skirting proper procedures that would normally protect their company from different cyberthreats.

Results in the Real World
The longest it has ever taken for me to hack into a company's system remotely through tactics such as phishing emails is minutes. Usually, I'm already in the system 10 minutes after the phishing email has been sent. When doing on-site tests, if we properly cased the company (which a good hacker will), we are in within an hour. This is a clear illustration of the need for better cybersecurity training.

For example, at one social engineering engagement I performed at a large oil and gas company, I was able to get into the organization and gain full run of the computer network in under an hour, and no one stopped or questioned me. While they did have an information security training program in place, no one was enforcing the practices being taught. Because I could penetrate their network so quickly, the CIO had to be in the exit interview with me, though that was not the initial plan.  

Another example is from a very large retailer. During the company's cybersecurity training process, I came in to do a social engineering test on the employees. The training should have been top of mind because the employees were currently going through it — the person who let me into the office even said that she was doing training at the moment and knew she was not supposed to let people in — but then she let me in anyway. I quickly gained access to the computer network once I was in the building, and there were no repercussions to the employees. This is a key example why there is much less likelihood that employees will be mindful of security practices that the company expects them to adhere to if there is no enforcement of the rules.

Simply put, there must be some sort of policy and enforcement in place for not adhering to security policies, such as a counseling session, but I see no companies doing this. Without enforcement, employees see the training as onerous. They simply ignore what they have learned, or don't take the training at all, claiming that they're too busy.

To be effective, companies need to stop treating cybersecurity training like a box to check off for compliance purposes and take it seriously. Once that happens, employees will take it seriously as well.

Related Content:

As the Chief Information Officer of Digital Defense, Tom DeSot is charged with developing and maintaining relationships with key industry and market regulators; functioning as the "face of DDI" through public speaking initiatives, identifying key integration and service ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
KatherineM394
50%
50%
KatherineM394,
User Rank: Apprentice
6/14/2017 | 6:28:24 PM
Cybersecurity Awareness Training for U.S.
Great point! CyberTraining 365 is my recommendation for U.S. based companies. They're accredited and aligned with NICE (framework outlined by the National Institute of Standards and Technology) as well as accredited by EC-Council and partnerships with industry experts. They do both technical and awareness training.  https://www.cybertraining365.com/cybertraining/Home 
LindsayCybSafe
50%
50%
LindsayCybSafe,
User Rank: Strategist
5/24/2017 | 9:08:48 AM
Mouse clicks = sword of Damocles
Joe makes the good point - there needs to be audit-friendly, quantifiable evidence of employee cyber training to cover the CIO. Prefeferably, the most accrediated entreprise training package on offer. 

For the UK, Cybsafe does this - but for the US market I'm less sure. 
tfdj
50%
50%
tfdj,
User Rank: Apprentice
1/27/2017 | 5:23:13 PM
Re: Don't flog the peasantry.
PMerry,

Thanks for the feedback.

You are correct, the Board of Directors as well as senior management need to be held accountable as well.  Unfortunately, this is a "top down" initiative and must have senior level support in order for it to be successful. 

Again, thanks for the post, it is most appreciated.

Cheers.
tfdj
50%
50%
tfdj,
User Rank: Apprentice
1/27/2017 | 5:17:21 PM
Re: Great Article and spot on
ZSCHULER,

Thank you for the kind words, much appreciated!

Cheers!
tfdj
50%
50%
tfdj,
User Rank: Apprentice
1/23/2017 | 5:29:05 PM
Re: Don't flog the peasantry.
Joe,

Thanks for your reply!  I appreciate the feedback!

To be clear, I'm not suggesting that the only way that things can be done is by "flogging the peasantry", quite the contrary.  What I'm suggesting is that companies place the same amount of emphasis on ensuring that information security training is taking place as they do, with say, their office supply policy.  I've seen companies where an employee is taken to task for violating the office supply policy, yet when they don't complete their information security training, there's no consequence.

You are correct in that it needs to start at the top, because without C-Suite backing, the training program is more than likely going to falter and fail out of the gate.  Further, if the employees see that there are no repercussions from senior management then, by proxy, they are given carte blanche to ignore the training.

Cheers,

Tom 
pmerry
50%
50%
pmerry,
User Rank: Apprentice
1/19/2017 | 9:13:19 PM
Re: Don't flog the peasantry.
You're right. It's about accountability. If the leaders don't hold themselves accountable, they can't expect the rest of the organization to. A top down approach is needed for a successful cyber security training program and proper implementation and practice of policy.
zschuler
50%
50%
zschuler,
User Rank: Author
1/17/2017 | 8:20:09 PM
Great Article and spot on
The Author clearly knows what he is talking about.  There is actually a 3rd party service called NINJIO that seems to meet all of his requirements.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
1/14/2017 | 2:51:36 PM
Don't flog the peasantry.
Well put, but let me counter:

1) If something is everybody's job, it's nobody's job.  If employees whose primary tasks are to answer telephones or to do data entry or construct marketing plans or whatever engage in a cybersecurity failing, while there should be some remediation, instead of flogging the peasants, I propose punishing the generals -- and calling the CIO/CISO/etc. on the carpet -- because, ultimately, it's their failing.  If the front-line employees aren't properly trained and properly acting on that training, it's the trainers' fault and the fault of the people responsible for that training to begin with.

2) In a heavy-handed "flog-the-peasants" environment, employees -- even managers -- will be reluctant at best to come forward if they violate a policy that then results in a potential data compromise.  Consequently, there needs to be appropriate policy for this that doesn't use the stick so much as the carrot.  (I've written on this, for example, here: enterprisenetworkingplanet.com/netsysm/minimize-shadow-it-damage-by-encouraging-self-reporting.html ).
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.