Field notes- User security training
This is a new type of blog post I am creating called- Field notes. The idea behind this is to provide commentary on what I see out in the field.
IT Security has so many elements. One of the challenges in IT consulting (And IT in general) is to describe and convey how all of the elements work together. I always tell people that with security- There is not a single solution or product that will solve all the issues. It's all about identifying risks and trying to mitigate them.
I've encountered several folks who think that because they have a firewall they are "Secure". Having a firewall in place is great but it's not going to solve the all of the elements of "IT Security". It's simply one piece of the puzzle.
Another challenge in IT is that so much happens in the background. Users don't get daily log reports from the spam filter or get to check the firewall policies on a daily basis. People clock in, log into their desktop (Or laptop), and open their email. This is what's spawned this blog post. There is a constant a need to provide and perform end user security training.
I get frustrated with IT admins who ridicule and act like someone who clicks on the link in an email is the dumbest person on earth. I have found that most employees at company xyz feel secure from a technology standpoint. Why wouldn't they? The company they work for has a firewall, spam service, and an IT team or consultant. It's easy to let your guard down.
Spammers, hackers, and crooks have exploited this for years. People get so caught up in working to meet their deadlines and keeping their boss happy they don't notice when the display name says "CEO" but the actual email address is firstname.lastname@example.org
This is where IT Security training comes into play. Sometimes it's not even a matter of developing or having employees go through a dedicated training program. For example, I've recently decided to simply start talking to my clients more about security and how they can improve their security posture. It's a matter of communication and getting on the same page. I try to use this time to answer questions and educate them as much as possible.
I am a huge fan of solutions like Knowbe4. Although sometimes the implementation is used the wrong way. I've seen some organizations treat it as if it's a game of "Who's dumb enough to enter their password in the link?". This mentality is just flat our wrong. These solutions should used as tools to communicate and educate people.
With the threat landscape changing by the minute user training is not going anywhere. All IT admins need to continue to communicate as much as possible. After all, it's much easier to plan for something before it happens.