Its Time to Take User Awareness Seriously
A troubling article on recent security trends in by Marty Ijzerman in SAGE quoted a Harvard study that found most users did not detect carefully crafted phishing messages, close to one quarter ignored security warnings, and over half didn't pay attention to warnings about invalid digitial certificates. These rates should make anyone involved with security wonder just how effective their well planned, well executed measures will actually work.
What other poor practices are in play? Are users still writing down passwords, especially now that a strong password policy is in force at your site? How many scripts contain application or database passwords? Are applicaiton accounts shared among users? Pretexting worked at HP to get confidential information, will it work in your organization?
Security awareness training may be viewed as a "nice to have" by some when it comes to security but that is simply not true. Attackers will find the weakest link, whether it is technical or human, and those are the ones we need to address. Users need to be trained about social engineering techniques, careless securtiy practices they should avoid, and policies in place in an organization. There is no reason for someone getting a password over the phone by pretending to be a network admin or a service desk technician. User awareness training is a core element of defense in depth practices, not simply a "nice to have."
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
