Security Market Segment LS
Thursday, 21 July 2016 02:16

Is security training worthwhile?


Spending time and energy training people to avoid phishing attacks doesn't pay off, according to BlackBerry chief security officer David Kleidermacher.

If someone wants to target a company in this way, they will be successful because "humans are simply too susceptible to these problems".

Training may improve the odds in favour of the organisation by a few points, but "all it takes is one" to fall into the trap and the attack has succeeded.

A better idea is to assume that an an attacker will get in via a user, determine what the resulting risks are, and then work to mitigate them. Possible strategies include moving away from a flat network to help isolate mission-critical systems and using two-factor authentication, he suggested.

"We've made [2FA] super-easy," Kleidermacher said, and that handles the number one risk of an intruder getting into your network.

"If you make this incredibly easy, people [ie, genuine users] will find it less of a barrier."

But later in the day, Cysafe Security chief security officer (and former chief information security officer of the City of New York) Yisroel Hecht offered a different perspective.

"The human can be the strongest link," he said, pointing to the "If you see something, say something" campaign started by the New York City Metropolitan Transportation Authority and subsequently taken up by the US Department of Homeland Security.

The problem, according to Hecht, is that IT people confuse their users. For example, users are told not to open attachments from untrusted sources, and then someone is given the job of opening emailed job applications – almost all of which have at least one attachment and, almost by definition, come from an unknown source.

"We've failed to train our users properly," he said. IT should not leave it to individuals to decide whether or not it is safe to open a PDF attachment, or tell them not to use mobile apps that require excessive permissions (you think they're not going to use the Facebook app)? If you say that, you've failed, he suggested.

Rather, IT needs to keep things simple. If someone needs to deal with attachments from all and sundry, there should be a system in place to automatically scrub the files into a safe form (while no names were mentioned, he was presumably referring to tools such as the threat extraction capability of Check Point's SandBlast system).

And instead of talking about app permissions, just tell people that they should only download apps from the official stores.

Hecht also pointed out that people think about themselves, so security advice should be pitched in terms of protecting the individual as well as the organisation.

Disclosure: The writer attended the BlackBerry Security Summit as a guest of the company


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.



Recent Comments