The more things change, the more they stay the same. Years ago while working on an extremely large application security testing project I asked a simple question. “Does anyone else have an issue with the fact that we keep fixing the same vulnerabilities over and over again and no one’s learning from the mistakes?” Lots of questions came to mind, one was what was our responsibility as a company to push the need for security awareness training?
Flash forward to today and the question is still there. As information security practitioners, either employed with a company or as a consultant, how hard do we push this fact? Do we bang that drum or do we leave it at educating, presenting reasonable need and let leadership choose whether to address it?
In the example above I used awareness around writing secure code, which is obviously important, but what about general user security awareness training? This is an area that intrigues me, because it’s often an afterthought or at least down the list of importance for people tasked with securing the organizations that employs them. Security awareness training doesn’t have the wow factor of something like Patch Tuesday or the latest and greatest exploit, but how does it look for a company that’s just been hacked and your users have passwords of 12345? I can just hear the conversation at happy hour over drinks, “Hey, aren’t you the guy who’s company got hacked and your people had three letter passwords?” Yeah, good times.
So why the need to push the subject? It’s because unlike external threats where the majority of attacks are malicious that’s just not the case from internal threats. Internally the greatest factor is either carelessness or just plain not knowing, not malicious intent. It’s probably fair to say that not knowing is still carelessness, just on the part of those required to provide the security awareness training.
So whether you’re talking about complex security awareness training for writing secure code or more generalist security awareness for the average user training doesn’t have to be an all or nothing approach. Awareness training can come in bits and bites, it just needs to be something that’s a regular part of the corporate security process. That way we’ll start to see less and less of the repeatable mistakes and more and more smart security.