I attended the SANS Security Awareness Summit last month. The summit is put on and attended by professionals who believe humans are a critical element of organizational security. Contrary to some technologists’ opinions, the human firewall is as important as deep packet inspection.
Security awareness is an important field that SANS, Enabling, at least 350 other attendees believe is on the rise. No technology can keep people from falling victim to social engineering, trusted-user phishing attacks, weak passwords, and allowing trustworthy looking strangers through protected entryways into facilities. By educating people on their role in managing risk, organizations improve their overall security profile.
I was struck by the following observations:
- Most attendees were from large corporations. Out of the 30 or so people that I met, only one worked for a company of 5,000 or less.
- Most organizations’ security awareness programs started on a shoestring budget, usually a part-time or single full-time position. Many have grown to several full-time employees. Some have significant budgets. The Video Wars segment showed videos used within companies to build awareness. The cost for high-end videos was $10,000-$13,000 for a 90-120 second spot, like this one from RBC. https://www.youtube.com/watch?v=sszudlN-PDE Cute, right?!
- Communications programs usually mixed lighthearted ways to present serious content like the video above.
- Social engineering is real. Recordings of actual social engineering calls revealed that 50% of people will give their passwords to fictitious IT personnel, even if they know IT shouldn't be asking.
The biggest challenges appeared to be:
- Getting management support. Even many CSOs believe hardware and software to be the only answer, and that the human firewall is unreliable in the end.
- Engaging users. Awareness managers are forced to get creative (and ego-free)! One awareness manager stood in a baby pool wearing hip waders to get attention on phishing attacks!
- Measuring success. There are few concrete metrics to measure progress. At this point, most awareness programs are simply measuring engagement (views of videos, attendees at training, etc.). More advanced organizations couple this data with objective data about the number of people who are passing their simulated phishing tests.
As a result of this conference, Enabling Technologies is making changes to our security awareness program that we offer to our customers. We hope that you will as well. For the viewpoint of the organizer, check out Lance Spitzer’s blog https://www.sans.org/security-awareness-training/blog/take-aways-2018-security-awareness-summit .