Security awareness gone wrong
Browsing the web and reading email shouldn’t be like clearing a minefield. Yet today I came across a reminder of how it’s still that way for most office workers. The tools they’re given aren’t safe to use but rather than replacing them, users are told to beware of opening email and clicking links.
I’ve been developing a security awareness program for a federal department so have been looking at lots of awareness material. I came across a series of short, professionally produced videos. Each shows actors in typical office security situations like installing unapproved software, encountering social engineering and so on.
One episode has an worker receiving email from a colleague she hasn’t heard from in a long time. It seems suspicious and the video spends most its time with her deciding whether to open the message. Eventually curiosity gets the better of her… she opens it and a worm is unleashed. A second video shows an office worker trying to decide whether to click a link to a unfamiliar URL. He does, and uh oh a virus wipes out the network.
So I guess the lessons from these videos are:
- Don’t open email
- Don’t click links
Each time I see this advice it infuriates me, but the way it was presented in these videos really demonstrated how idiotic it is.
First, the software doesn’t provide enough information for users to make an intelligent decision about whether an email or web link is “bad”. Mail headers are easy to forge, and a simple HTML trick can change the URL that shows when hovering over a link. The only thing warning users accomplishes is to instill useless fear and distrust of the software they must use to do their jobs.
Second, it’s insane that users should even need to be afraid. Reading email is the primary purpose of email software The HREF is the fundamental benefit of HTML. Why do organizations give their workers software so feeble that it’s unsafe to use them for their intended purpose?
What was that about minefields? At least someone clearing mines is given some protective gear and more training than just “there might be mines in that field… be careful”.
In my office, we don’t fear of opening messages or clicking links. This is largely because we use reasonably robust software like Mozilla Firefox and Thunderbird. No software is perfect though, so there are also excellent perimeter filters that limit what bad stuff can get in, plus endpoint defences that reduce the damage when something does.
In security speak, that’s called “defense in depth” and “use of compensating controls”. It’s also called risk management. There’s still some risk that an exploit could cause damage in our office, but not enough to really worry about.
There are almost always options for reducing risk to an acceptable level. Even if an organization had no choice but to use feeble software for email and browsing, there should be compensating safeguards in place. Forced to use MS Outlook? Get a good mail firewall and contain Outlook within an intrusion prevention wrapper. Have sites that require Internet Explorer? Demand they be fixed and use a better browser for all other sites.
Some risks you just have to accept, but email and web browsing are not in that category. When you see admonishments to be afraid of email and web links, what you’re really seeing is a failure to manage risk. Someone in the organization decided not to face up to the need to replace Outlook or IE, but don’t want to pay for content filters and host intrusion prevention. Instead of providing adequate safeguards they’ve decided to just make users responsible when the software blows up.
In security speak that’s called “risk transfer” and it’s neither fair nor what security awareness is for.
Related posts: