Early last year, International Data Corporation (IDC) forecasted that security spending would reach $81.7 billion in 2017, an increase of 8.2% from 2016. This increase is driven by enterprises – from Fortune 50 to small businesses – as they continue seeking a ‘silver bullet’. The economy produces dozens of new security vendors every month who promise to solve all our problems. Yet, according to a 2017 Verizon report, 43% of users are still falling for simple social engineering attacks, and 81% of users are still using weak or re-claimed passwords.
When people approach me with questions about this trend, my advice is always the same: We are all focusing on the wrong things. If we look at the fundamental shift in the security paradigm over the past five years, we can’t ignore the fact that traditional network boundaries are erased, while inherent trust from social media drives many of our decisions. Protection is no longer working, so we shift to detection and response. Each of us carries at least one computer in our pocket that is as powerful as our desktop was five years ago – and it is always on; always connected.
Technology and protection are necessary, but we must shift our focus to what matters most: The weakest link. Our duty as security practitioners is to focus on continuous user education and awareness, but we must be careful with the approach we take. When you are creating a security awareness program, consider these things:
- Make it relevant. Make it resonate with your audience. Give real-life examples from work or personal experience to show why your message does or does not make sense.
- Praise and reward. Use positive reinforcement. Take five out of a hundred people who clicked on a phishing email and report “we had ninety-five percent resilience rate”, instead of “we had five percent failure rate”.
- Test, train, and test again. Consistency is important. Use training exercise results to tweak your program.
- Just in time training. Immediate training is the best way to modify behavior. Correct mistakes as soon as users make them.
- Be creative. CBT’s are boring. Engage your audience. If you’re using PowerPoint, make it dynamic. There are many good short videos available on YouTube for free.
And most importantly, as we embark on 2018, remember to focus on the weakest link!