In a recent article that highlights why security awareness programs frequently fail, the top reason cited was poor governance. In reviewing and implementing dozens of awareness programs, I have come to believe that the poor definition and implementation of security governance is the fundamental reason for security awareness program failures.
First consider what governance is. At a high level, governance is definition of how people should perform their daily functions. Notice that this doesn’t say anything specific about security. The assumption is that the definition of behaviors embed security.
It amazes me how companies rightfully want full control of their security programs, yet they pretty much abdicate their awareness programs to vendors.
While it does not seem to work this way in practice, awareness programs should promote good security behaviors. They should inform people about their expected behaviors in common and uncommon circumstances. These expected behaviors are not something to be determined by a random CBT provider, but should reflect what is established in corporate governance.
For example, when most CBT videos talk about social engineering, they highlight how hackers will trick you to giving up your passwords or other sensitive information. The phishing videos highlight how phishers want to get your passwords or download software. However, consider that the latest evolution of phishing and social engineering attacks, which involve contacting accounts payable, the CFO, or accounting and asking for money to be transferred. Traditional training materials do not discuss this at all, as they just rattle on about basic social engineering and phishing.
The recent incidents at Moneytree and Seagate, where a criminal(s) emailed people in the human resources departments, pretending to be the CEO or other party, and asked for them to send him tax related information of employees, as well as the rash of accounts payable thefts, where criminals use some pretext, frequently pretending to be the CEO, to have those departments transfer money to an account, would be countered by people following good governance. Governance would detail the specific process to release information or send money. A random email that requests the release of information, should be summarily rejected, and the sender, even the CEO, should be directed to follow the defined procedures or guidelines.
To examine what awareness information should be provided, you must first consider that some policy, procedure or guideline should detail the process for approving and processing payments. I assume that an email or telephone call from anyone is not the entire formal approval process for issuing payments.
While it might be helpful for awareness programs to highlight phishing and social engineering, they need to highlight the procedures and guidelines related to releasing payments. That should be done for all aspects of security.
Sign up for Computerworld eNewsletters.