The awareness module on 'email and messaging security' is coming along nicely, with just 4 days until our usual end-of-month delivery deadline.
We could easily consume at least another month refining the materials, getting further into some of the technical issues and digging up more news, security controls and related issues to discuss ... but in the end we'd still only have a single awareness module on a particular topic, focusing on a small part of the information risk landscape. It's better to complete and deliver what we have, then turn the awareness spotlight to illuminate a different part of the landscape next month.
Yesterday I read "Be Compromise Ready: Go Back to the Basics - 2017 Data Security Incident Response Report", a glossy survey report by BakerHostetler that started out strongly by acknowledging the value of employees as part of an organization's cyberdefense:
"Employees are often cited as a company’s greatest asset. In the cybersecurity arena, they can also be a liability. While these numbers reinforce the ongoing need to focus on effective employee awareness and training, they also show that a defense-in-depth approach is necessary because even the best trained employees can make mistakes or be tricked."
Unfortunately, the report went on to "recommend both new hires and current employees receive annual training regarding the dangers of phishing emails": how would you interpret that? I suspect many readers would take it at face value, coming away with the idea that training employees (staff, I guess) once a year on phishing is both necessary (I agree - it is a real and present danger) and sufficient (I strongly disagree).
On the 'defense in depth' point, for instance, do they honestly expect the IT, HR, risk, security and compliance people to appreciate and fulfil their roles in adding, strengthening and maintaining the layers of protection? How and why, when they have so many other things to do? And are management expected to 'just know' the value of information security in enabling the achievement of business objectives, having picked that up through some diffuse/obscure educational process? No wonder so many information security pro's often complain about lack of management support and funding. Evidently either it doesn't even occur to them to inform and persuade management, or they don't put nearly enough effort into management-level security awareness.
As to the idea that "annual training" is enough to teach people anything important, well that's plain crazy. Imagine if road speed limits were scrawled on bits of paper or cardboard, displayed along the roads once a year then left to rot. Imagine if everyone was required to attend a once-a-year stern lecture on the "Dangers of smoking", with no further warnings or education.
And what about all the other cybersecurity incidents and controls identified in the report besides phishing, let alone those not even mentioned (important stuff such as risk management, ethics and accountability)? It would have been more helpful if the report acknowledged that phishing is AN awareness topic, not (as strongly implied) THE ONLY THING worth covering.
With over 60 information security topics in our awareness portfolio already, we're busily spinning plates on sticks, hoping none of them fall. As if the show isn't dramatic enough already, we're spinning up new plates from time to time ... such as a brand new module on 'cybersecurity' to come in 3 months' time.
Although it isn't even vaguely mentioned as a possible security awareness topic, the BakerHostetler survey report does mention cyber insurance, dispensing a few bullets of basic advice (see page 17). Having just started to research the topic in preparation for designing and preparing another NoticeBored module for delivery in August, it's already clear that there's much more to say. We've picked up the stick and plate, and soon we'll set it a-spinnin'. But first, the email and messaging security plate is not quite up to speed and several others are wobbling alarmingly!