With the growth in social engineering used to breach organizations, there has been a growing chorus of security professionals that are pushing for more and better security awareness programs. However, Dave Aitel of Immunity, Inc. recently published an article that basically states that employee security awareness training is worthless and should not be done. While I understand Mr. Aitel’s frustration with employees’ being a security issue, to stop security awareness training is extremely foolish.
“The clients we typically consult with are large enterprises in financial services or manufacturing. All of them have sophisticated employee awareness and security training programs in place – and yet even with these programs, they still have an average click-through rate on client-side attacks of at least 5 to 10 percent.”
As someone in a consulting firm that also does social engineering assessments, I can confirm Mr. Aitel’s observation of 5 to 10 percent. However, I can also tell you that organizations we test that do not have a security awareness program or have limited security awareness training are averaging in the 20 to 30 percent failure rate. Based on our work in social engineering and discussions with other professionals that do social engineering, the 5 to 10 percent click through rate is unfortunately about the best you will get out of people. People are fallible, some more than others. So to just drop security awareness training is not a good idea unless you think doubling or tripling your risk is a good idea.
“Because they’re going to do so anyway, so you might as well plan for it.”
This statement is why Forrester recommends the “Zero Trust” security approach and why I developed the Ultra Secure Network. But while I whole heartedly agree with Mr. Aitel’s statement, I differ with Mr. Aitel on what that statement means.
Mr. Aitel implies that by improving all of your other security measures you can eliminate the potential that employees will screw up. Mr. Aitel naively believes that by auditing your periphery, improving monitoring, isolating and protecting critical data, segmenting your network, auditing employee access, improving incident response and instituting strong security leadership, organizations can prevent network threats and limit their potential range. As I always like to say, “In theory, theory works.”
Yes, there is no doubt that organizations need to improve their security posture. But Mr. Aitel seems to forget that employees are part and parcel of that security posture. Ultimately, employees, as well as contractors, business partners and others, need to interact with an organization’s information. Even if you significantly improve all of your other security controls, people still need to access and interact with an organization’s information assets. The bad news for Mr. Aitel is that people are fallible. To ignore that fact is foolish and to bury your head in the sand in the belief that you can prevent every social engineering attack with your other controls is sheer folly.
Security awareness training has its place, but it is not a silver bullet nor is any other security control or approach. The world is full of risks and a security professional’s job is to minimize those risks and manage the remaining residual risk. Any security professional that believes they can eliminate risk and sells management on that fact is not going to have a career for very long.
The ugly fact of life is that every security control only minimizes security risk and sometimes you get very lucky and the risk is minimized to zero. In the vast majority of cases there is some amount of residual risk even when a security control is in place. If your organization is unwilling to accept the remaining residual risk, then the business function causing that risk needs to be not performed. As I like to tell people that complain about the PCI DSS, “If you don’t want to comply with the PCI DSS and want to totally avoid a card breach, then don’t accept credit/debit cards for payment.”
So continue to conduct security awareness training, but do not mistakenly believe that it will stop people from creating an incident. Security awareness training only minimizes the risk that people will make a mistake, not eliminate that risk. This is why security is done in layers, so that when people make that mistake, your other security controls catch the mistake quickly and minimize the impact.