If someone wants to target a company in this way, they will be successful because "humans are simply too susceptible to these problems".
Training may improve the odds in favour of the organisation by a few points, but "all it takes is one" to fall into the trap and the attack has succeeded.
A better idea is to assume that an an attacker will get in via a user, determine what the resulting risks are, and then work to mitigate them. Possible strategies include moving away from a flat network to help isolate mission-critical systems and using two-factor authentication, he suggested.
"If you make this incredibly easy, people [ie, genuine users] will find it less of a barrier."
But later in the day, Cysafe Security chief security officer (and former chief information security officer of the City of New York) Yisroel Hecht offered a different perspective.
"The human can be the strongest link," he said, pointing to the "If you see something, say something" campaign started by the New York City Metropolitan Transportation Authority and subsequently taken up by the US Department of Homeland Security.
The problem, according to Hecht, is that IT people confuse their users. For example, users are told not to open attachments from untrusted sources, and then someone is given the job of opening emailed job applications – almost all of which have at least one attachment and, almost by definition, come from an unknown source.
"We've failed to train our users properly," he said. IT should not leave it to individuals to decide whether or not it is safe to open a PDF attachment, or tell them not to use mobile apps that require excessive permissions (you think they're not going to use the Facebook app)? If you say that, you've failed, he suggested.
Rather, IT needs to keep things simple. If someone needs to deal with attachments from all and sundry, there should be a system in place to automatically scrub the files into a safe form (while no names were mentioned, he was presumably referring to tools such as the threat extraction capability of Check Point's SandBlast system).
And instead of talking about app permissions, just tell people that they should only download apps from the official stores.
Hecht also pointed out that people think about themselves, so security advice should be pitched in terms of protecting the individual as well as the organisation.
Disclosure: The writer attended the BlackBerry Security Summit as a guest of the company