User awareness training is a sticky issue: It has to be done, but some CISOs wonder about its effectiveness.
Statistics from Verizon's international data breach investigations report, released earlier this year, shows that 13 per cent of employees will open attachments or click on phishing links no matter how much awareness training an organization does. That led a CIBC offical at a conference earlier this month to say he's almost given up on it.
What kind of training works? "We are better at knowing what doesn't work than what does," Ostertag admitted in an interview. But many CISOs have told him it's vital to immediately re-train staff who fail an awareness test.
He did say that CISOs do have to encourage the 87 per cent who don't open suspicious attachments to report their concerns rather than just hit the delete key.
At the conference the bank executive said there is a solution: Implement gateway attachment scanning. It could delay email by up to five minutes, he conceded, but dramatically improve security. However, he said, management at organizations he's worked for refuse to impede email.
Ostertag was neutral. "That's a tradeoff the organization has to make," he said. On the other hand, he added, any delay in executing malware helps the defence because some malware "beacons" to a command and control server with an IP address. Many of those addresses are only valid for a short period of time.
He agreed with a suggestion that while organizations do a lot in cyber security, they rarely companies do everything right.
Take the Payment Card Industry data security standard (PCI/DSS). Ostertag said since it was released there has never been a breach of payment core data where the breached organization has been compliant at the time of the incident. "So what we find is a lot of times organizations understand what are best practices, what basic minimum threshold security practices are, (but) it just doesn't work in everyday life."
For example, he said a typical security assessor reads an organization's policies and procedures, interviews key managers on what is done and concludes the firm is compliant. "What they don't do is sample and verify that's actually going on. A lot of times that's where the gap is."
Similarly, when development teams create a Web application they do the right things before making it live - ensure secure coding, code review, run vulnerability scans on code, perform manual penetration testing. But, Ostertag added, this isn't carried over into into change management, so updates have vulnerabilities.
"We're getting better at protecting data - put access controls around it, encrypt data at rest, all the things we know we should do." So attackers are increasingly targeting end user devices, where sensitive data may reside and security is weaker.
Source: IT World Canada
Sign up for CIO Asia eNewsletters.