Debate: Security training is effective in preventing workers from clicking on malicious links and attachments.In this month's debate, two experts discuss whether security training is an effective strategy in the workplace.
Stu Sjouwerman, CEO, KnowBe4
Money spent on security awareness training is not better spent on training developers to write secure code. Some argue that security awareness training is the whipping boy to illustrate how the computer industry has failed to design insecure systems. Perhaps those making that argument have forgotten that the internet really still is in beta. Vint Cerf recently admitted as such with his remark: “We never got to production code.”
In such an environment, you do want to educate your end-users and provide them with the knowledge and skills to spot social engineering red flags, and not click on suspicious links or to open infected attachments. Our training never fails to show a dramatic reduction in what we have called an organization's “phish-prone” percentage. The stats show the effectiveness: Up to 80 percent less clicks on simulated phishing attacks. These days security awareness training is a must.
That said, it's but an essential piece of the whole defense-in-depth puzzle organizations need to have in place.
Dave Aitel, CEO, ImmunitySecurity awareness training is one of the most overrated – and dangerous – aspects of security planning that any organization can use. The premise is a simple one: Employees are targeted in phishing schemes, so let's teach them how to not get owned. But the problem is that no matter how much training an organization provides employees, the worker is still going to screw up.
Employees weren't hired to handle your company's security – and they shouldn't be expected to. By placing an emphasis on employee training, you're giving yourself the false assurance that this is somehow making the company safer. It isn't. Even trained employees stand no chance against a modern attacker who customizes his phishing attack against that individual. Security awareness simply cannot address this threat.
It's the CISO's job to make sure that technical controls are in place to mitigate these threats. The reality is: An employee should be able to click on any link, open any attachment and go about their jobs as they see fit, and not expose the company to a serious breach.