Sorry about that, I knew the title would pull you in…but what I have to say will, in the end, support the headline. The reason for the showmanship is that if the title had been “End User Training and Awareness is Important” or “Training End Users Will Help Your Bottom Line” you may not have clicked (I know you would have clicked anyway mom). But seriously, end user training is the new hotness.
As you can tell from the byline, I work for RSA, The Security Division of EMC, and unless you are a noob in the security space you can probably remember an incident in the not so distant past where RSA was in the headlines for a data breach. Yes, RSA, The Security Division of EMC. There have been many forensic breakdowns of the event itself, but I just want to reference Uri Rivner’s initial blog post related to the attack. Yup, the initial foothold was obtained by someone clicking and opening an attachment in an obviously suspect (to me, anyway) email that was in their Junk Mail folder. Junk Mail Folder? Yes!
This reminds me of 2 quotes that sum up the situation from both sides:
“Wisdom consists in being able to distinguish among dangers and make a choice of the least harmful.” — Niccolo Machiavelli, The Prince
“The user’s going to pick dancing pigs over security every time.” — Bruce Schneier
So we need to empower the end user to make good decisions and at least let them know the risk of the dancing pigs, right? Making end users wise in the ways of security may sound like a daunting task, and it is, but thanks to the folks at the Information Risk Executive Council we have a few user behaviors that we should focus on to start with.
- Clean Desk Policy
- Avoiding Phishing
- Locking Computer When Away
- Physically Securing Devices
- Personal Use of Web
- Using Good Passwords
- Not Sharing Passwords
- Not Discussing Sensitive Information in Public
- Not Working on Sensitive Information in Public
- Not Using the Web for Personal Use on a Corporate Asset
- Not Allowing Tailgating
- Not Attaching Non-corporate Devices to The Corporate Network
Ok, these certainly aren’t awesome or revolutionary…BUT, you can’t just send a bulleted list like this out to the user base and expect them to “get it” either. Your job is to not put your employees in a position to make an ethical decision for the company. They should know how and what to do in situations they will be confronted with on a daily basis…and yes, you have to prepare them for that.
How, you say? Here are a few suggestions. First, start by using real examples from your organization’s real experiences. Did someone fall prey to a phishing scheme? Talk about it at the next all-hands meeting and give tips on how to avoid the threat. It’s ok (and actually good) for an organization to acknowledge that something happened and use it as a teaching/learning tool. Likewise, if you don’t want a certain behavior to happen, say it. Enable your users with the information and resources and let them make educated decisions on what to do and what not to click on. And like when you send your kids off to college, they’ll hopefully make the right choices 70% of the time. 
Finally, review the list above and determine the triage of which behaviors have the highest impact on your organization. Then set out to define the risky behaviors your users are engaging in and show them the reasons they are risky and give them the guidance they need to make good decisions. And then, you’ll have lowered your overall risk profile for Advanced Threats and actually most threats. See, I told you we’d get there.
Hey, wait a minute, shouldn’t there be a program around this whole endeavor? Yes, absolutely. We’ll be talking about that next time…until then, safe travels.
Jason Rader is the Chief Security Strategist for RSA Global Services and can be reached at jason.rader@rsa.com