How much of your 2014 budget will be allocated towards technical security solutions and how much will be reserved for security awareness education? Which one is a better use of money as you prepare for upcoming budget planning? Are they both trending in the same direction, equally? Probably not, even though Verizon’s 2013 Data Breach Investigations Report documents 95% of the state-affiliated espionage attacks involved phishing. Furthermore, 46% of the data breaches exploited customer service employees; often referred to as, our end users.
The debate as to whether security awareness is a worthwhile investment has been waged through the years and continues in 2013. At times, naysayers called out awareness as nothing more than a waste of time and money since a social engineering attack likely will eventually win – it’s just a matter of when. While it is hard to argue a persistent adversary won’t eventually have their way, it should not mean organizations give up and stop fighting the good fight. Wouldn’t it make sense if security solution providers both in the technical and the educational arenas collaborated to defend and educate? Security needs all the help it can get and this shouldn’t be a novel idea!
Cynics pushing back on security awareness view technical solutions and penetration testing as a better use of money. This would assume solid adaptable configurations are in place and an experienced penetration tester doing the work is skilled at discovering vulnerabilities capable of exploitation. It also requires an organization to be nimble and remediate vulnerabilities timely in the midst of managing other projects underway and with quality assurance. The technical and testing approach has gained more traction through the years. Buying solutions to fix problems leads the way whereas continuous assessment and improvement for some is still maturing. A walkthrough at a conference such as RSA quickly shows the investment in new technologies and how they are helping solve problems – yes, some better than others.
Security awareness and education falls flat because of how it is conducted within organizations. An organization focused on meeting compliance, disguised as a newsletter, ends up checking a box and does little to improve security knowledge within employees. As a result employees are at best loosely aware that security is important to the business. A more effective approach would be to start off with baseline knowledge assessments to determine the current state of employee awareness. Then, follow up with some easy-to-use educational resources with repeatable modules which advance as employee mastery is demonstrated.
If organizations give up on the concept of awareness and just strive for compliance, they have essentially given up, perhaps unintentionally, on their staff and the ability to leverage them as a part of the holistic security program. Granted, a financial analyst wasn’t hired to inspect email message headers or analyze URLs. But as a highly intelligent finance employee, raising the bar and learning about security and becoming a savvier employee is within reach with corporate culture support, effective communication, and the correct tools. Or we can mumble, falsely and demeaning, “there’s no patch for stupid,” which will improve nothing.
Thankfully, in recent weeks some vendors announced collaboration aimed at bringing technology and education closer together. PhishMe and FireEye publicized a partnership to bring employee education to the threats detected by the FireEye platform for a multi-layered security program. Likewise, RSA, The Security Division of EMC, recently announced a reseller agreement with security awareness vendor, Wombat Security. Both of these announcements help to illustrate the growing need for technology and education to complement each other. It also reveals technology solution vendors listened to comments from their customers looking for more to be done when it comes to protecting the proverbial weakest link, employees.
The technical solution arena continues to launch product after product aimed at trying to solve whatever the pain point is at that moment in the industry. Whether it is an adversary feverishly working to exfiltrate data or an organization trying to reel back in some control with a mobility management system due to the proliferation of BYOD. Yet the education which employees can benefit from internally as well as externally, sometimes struggles to maintain its importance. It seems easier to buy a 1U rack to take care of a problem. However, it should come as no surprise that the ability to phish and social engineer employees from the front line to the board room is not dwindling and continues to be a key tactic for compromising organizations across the globe as recent data breach reports prove. This isn’t new, and shows no sign of slowing down even with technical solutions deployed.
While still a long way to go, there is vendor action and collaboration taking place. It is encouraging and long overdue to see the partnering between technical solutions and awareness/education vendors. This shows some maturity in the industry to push past the unproductive debates which no one wins, and towards solutions to advance efforts.