In my last post, I talked about whether or not information security training could have played a role in preventing, or at the very least minimizing, the Target breach.
Today, I'd like to address the importance of information security training and how to make it work in the real world (yes, it's very doable) sharing my thoughts on what organizations should, at a minimum, train their staff on when it comes to password security.
Let’s be honest. We've all been through "those" training sessions – Boring, dry, seem to go on and on forever and rarely provide actionable intelligence. What’s worse is the lack of ‘stickiness’ and the common tendency for employees to forget what they were educated on after they leave the classroom. Why does this happen? Typically, the content is lackluster PowerPoint fodder presented in a heavy handed "Thou shalt...." manner which does not always prove effective.
What I have found to work much better in most environments is training that imparts knowledge on how employees can improve security on the job as well as in their personal everyday lives.
As an example, password security.
Employees are known to often write down their passwords, and every training programs talk about why this is bad, bad, bad....but very few, if any training sessions, give the employee an alternative. In these same sessions, employees are told not to reuse passwords and they are told to make them so complex that they can't remember them. So the employee is left wondering what to do as they walk away from the session, bewildered and frustrated.
One option is to install password management software on their computers. Many however, cannot afford to buy and install encrypted password storage software for their computers and corporate IT often does not provide it Sooooo....they continue to write down their passwords.
But somehow the circle has to be broken. And it can be!
What the training program should teach the employees about password development and safety is more along the lines of the following:
- Passwords do need to be complex and there is a reason. Too many people use the same passwords and hackers know this and test for these common passwords during an attack. (You're telling them why it's important to make complex passwords without using "Because I said so...", thereby making them part of the solution.)
- Make passwords complex by basing them off of a favorite phrase, song, or line from a book. Replace letters with numbers and special characters to mix things up. (You're giving them the information they need so that they're not left guessing on what to do.)
- Make unique passwords for each account you use. That's another thing that hackers look for is password reuse. I've seen whole domains compromised because the admin used the same password on a poorly patch printer (yes, I said printer). (Again, you are giving them information not heavy handed draconian mandates.)
- Most people probably have 5 or 6 complex passwords that are difficult to remember. So what are you going to do? Write them down of course, BUT, you are not going to put them in a rolodex under "P" or in a file folder on your desk. Instead, they should be placed and guarded in a wallet or purse and protected like an ID or credit cards. (Oh my gosh, he really does understand the problem I'm facing! And hey, I keep my wallet/purse safe so this is doable!)
A very simple and no nonsense training program that is not heavy handed, teaches the employee why it's important to have unique complex passwords, and also empathizes with them about the number of passwords they have to keep track of, as well as acknowledges that they are going to write them down without giving the "wink" of approval. Finally, it gives them a "real world" option to keep the written passwords in a manner that is much more secure than they probably do it already and thereby reduces the risk exposure of the company.
Stay tuned for next week when I talk about training for social engineering awareness. It's more important than you think!