We all know that everyone needs to do their part to keep their organization being pwned. Yet security awareness training and anti-phishing exercises don’t seem to help very much. Why is that when there’s no shortage of vendors to sell them to us?
The $47 million recently stolen from Ubiquiti Networks was a result of social engineering via email combined with weak internal payment system controls. How much higher do the stakes have to get?
We’re in this situation largely because on the job people do things their supervisors ask them to do. So if supervisors don’t place a high value on getting something from the awareness training and don’t prompt difficult conversations when someone falls for a phishing lure, your org is doomed.
So, rather than define it as an IT problem, user security eduction and awareness should be defined as a management problem.
If you are responsible for getting your network endpoint users to up their security game, the best way forward is to recruit all the supervisors across your organization to support your training programs. Work through your manager to do this.
Having supervisors on your side will make all the difference when a difficult conversation with a worker must happen because he will not support the InfoSec program. After all, a careless user isn’t likely to take a random IT person seriously, are they?