Photo Credit: Shutterbug459 via Compfight cc
In our industry, we hear it all the time, the endless criticism of end users: they are the weakest link… they don’t have any sense… you can’t count on them to do the right thing… they’ll click on anything without thinking… While there is some truth to that, it is far from an accurate statement.
People, by their nature, are helpers. It is largely for this reason that social engineers are so successful. And how do we defend against social engineers? By making users aware of what behaviours they should (and should not) do, and giving them the awareness to see when something doesn’t look right. It’s not about them knowing exactly what is wrong, but giving them the tools and knowledge to know what to do, who to contact, to investigate further. (That’s actually a large part of our jobs: we exist to ultimately help users do their jobs securely.)
So many make the assumption that since educating/awareness doesn’t work 100% of the time, that it is a hopeless cause. Let’s compare it to running a ‘Prevent’ defense in American football, which is used to defend against a team scoring on an obvious passing play:
- You know you have your best pass defenders on the field – you have multiple layers of protection in place.
- You know they’re going to throw the ball deep, looking for Hail-Mary success. Similarly, you know their phishing emails will reach end users, but will it be a catch (link clicked) or an incomplete pass?
But… (there’s always one of those, isn’t there?)
Sometimes the defender can’t cover the receiver as well as we would like. Maybe they’re shorter; maybe they’re slower; maybe they’re just having a bad day. (Or configured incorrectly!)
On occasion, the offense manages to beat the defense, and scores the game-winning touchdown. That doesn’t mean that the Prevent defense doesn’t have strategic value to a team, only that it is not infallible. In fact, it’s still the preferred defense when protecting a slim margin as time is running short in a contest. We don’t say, ‘Well, the Prevent defense wasn’t entirely successful this time, so we’re going to rip it from the playbook.’ Instead, we study the game film to see what went wrong, and find ways to reduce the risk of a touchdown in the future, and to tweak our Prevent D to give us better odds of success.
The same logic should be applied to effective end user awareness training – while it doesn’t eliminate the risk of a phishing or social engineering attack being successful, it DOES make a positive difference in the amount of attempts that are successful. It is one of many plays in the security playbook, none of which, on its own, is sufficient to ensure a win. It takes a wide, varied, layered strategy to be successful.
We can’t defend against willful ignorance, but by working to make our users aware of risks that we face, we can add a virtual layer to our technical defenses. The one thing I am sure of: doing something – anything – to educate and make user aware, is far and away better than doing nothing.