In the past years, there has been a major focus on end-user training as it is considered (and rightly so) the weakest link in the cybersecurity chain. I keep hearing more and more experts (and self-proclaimed ones) emphasize that we should train our users constantly. NIS2 specifically states that the training should include everyone from the intern to the CEO. But is this the right point to focus on? Is it the battle ground, where we can win the war?
Don’t get me wrong, I am 100% in favour of cybersecurity training, but should we rely just on it? Would you leave alive, electrical wire exposed in a building and say “I will heavily train all the inhabitants of the building to NOT TOUCH it!”? Would adding a big red sign with said statement, make it 100% fool proof? Of course not! There will always be someone who will touch click it. Someone who will say, “it’s not my job to make it secure. You’ve built it, you make sure that it causes no harm”. And partially, they would be right.
When we buy an electronic device (at least within the EU), we expect it to have passed through a rigorous certification process (CE) that guarantees that there is no way that we can be electrocuted. The same expectations are there, when you hand someone a corporate laptop. They expect that we have made sure it’s hacker-proof, no matter what they do with it!
So, I’ve been thinking; should we invest a big part of our budget on end-user training or divert it into hard security controls (XDR, Mail security, security hardening etc)? The answer isn’t binary—it’s layered. Whether we like it or not, users are – and will always be – the first line of defence. Even if we have modern tanks and laser-cannons we will always need a well-trained infantry. We should have a baseline training for our users, but we should focus, mainly, on training our developers, our security engineers…our IT in general. In addition, we should have security controls that will make our corporate cybersecurity fool proof. Even a very well-trained user can be tricked into clicking a link they shouldn’t (I know I have). They should get an “Action blocked by your Admin” message. That way we can have a multi-layered security approach and be able to sleep at night.
Right?
Right??
Right???
No!
Even if we do all of the above, they would amount to nothing without structured and tested policies and procedures. f the CFO can just call IT and request that the blocked email attachment is released, just like that, then we can all agree that even the world’s best multi-layered security cannot save you
During our Red Team / Threat Led Penetration Tests, our clients expect that we will send an email to the accounting department urgently prompting the user to click on a link or open an attachment. Nope. We know that most of the organisations train their users exactly for this occasion and they also rely on mail filtering, end-point security and other technical controls to block those actions, when the user “fails” to recognise the threat. What we actually do is exploit the lack of well-defined processes and procedures. Even if P&P are well-defined, usually they are not security infused.
What if there is a business / legal reason for someone viewing a file that has been posted on the internet?
What if they get an email with an attachment as part of a complaint to which they are obliged to respond to, by their supervising authority, within 72 hours?
We didn’t cause the urgency, it was built-in, by the regulation. People will try to move heaven and earth to get it done. “I don’t care about your policies. If I can’t view this alleged proof of misconduct in the next half hour, we are all going to jail/paying fines!”.
What would you do?
Do you have the procedures/infrastructure to open the file in a sandbox?
Do you have the know-how of examining the file, before handing it over to the user?
Do your policies clearly state who can override them and how?
Is the Risk generated by such an override calculated and into your Risk-register?
Well, if these questions make you uncomfortable, I’ve got news for you, it’s time to review your Risks.
Let’s talk about building processes that help us win the war, not just audit battles. I know it’s harder this way but the rewards are worth the effort.