Ditch your security awareness program
Your security awareness program isn't working and the solution is NOT another poster in the lunch room about the dangers of opening emails from people you don't know.
by Brent Huston -- For almost 20 years, we in the infosec business have been harping at you about awareness. The story often goes something along the lines of "If only we could teach the users to be more careful and attentive, then we protect them better." The truth of the matter is though, that the average user either doesn't care about information security (until it's too late) or they simply don't have enough technology skills to protect themselves in a meaningful way. But, and I promise you THIS -- the answer is absolutely NOT another poster in the lunch room about not clicking on the dancing gnome or opening emails from people you don't know.
I think we are going about this in the wrong way. In fact, I believe that the only prevention focused message you should be sending to your staff on a repeated basis is about laptop theft. I think if you focus all of your prevention awareness on laptop theft, you might accomplish a little bit more, since laptop theft is a pretty personal crime. So, if you must print up some posters – make it about not leaving your laptop in the back of your car, or skip the posters altogether!
What do I propose instead? What then will we do with all of that awareness budget???
I propose this. I suggest that you skip prevention awareness and instead focus your staff on being better "net cops". Yep, you heard me, NET COPS. Why the heck would you do that, you might be saying? Well, the main reason is, according to recent data that profiled data compromises, your team members (as in humans) are twice as likely to notice strange attacker behaviors, security issues and other anomalies versus automated systems like IDS and log monitoring. Plus, people already love to play net cop. Your customer service people love it, your sales people love it and face it, most infosec people love it too. There is a reason why there are so many crime shows on TV. Since people love the idea of being a net cop, let's focus on teaching them, giving them incentives and helping them help us protect our data more effectively.
We think new focus on from "what not to do" to "help us patrol the network" just might work! We'll never know, unless we try!
Brent Huston is CEO and Security Evangelist for Microsolved, Inc.
Want to cash in on your IT savvy? Send your tip to firstname.lastname@example.org. If we post it, we'll send you a $25 Amazon e-gift card.