ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Effective and Realistic Security Training?

    Scheduled Pinned Locked Moved IT Discussion
    eweeksecuritytraining
    38 Posts 8 Posters 11.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Baustin213 @DustinB3403
      last edited by

      @DustinB3403 I like this approach a lot. It actually sounds a lot like the Chaos Monkey tool that is used in the testing/QA world to find failures in cloud-based software.

      1 Reply Last reply Reply Quote 0
      • dafyreD
        dafyre
        last edited by

        There's a company called KnowBe4 that does the email Phishing stuff... Not sure what else they do.

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @dafyre
          last edited by

          @dafyre said:

          There's a company called KnowBe4 that does the email Phishing stuff... Not sure what else they do.

          And their CEO is here @stus

          1 Reply Last reply Reply Quote 1
          • mlnewsM
            mlnews @scottalanmiller
            last edited by

            @scottalanmiller that seems like some extreme training.

            G 1 Reply Last reply Reply Quote 0
            • G
              GlennBarley @mlnews
              last edited by

              @mlnews You would think, but if you read into the article that I linked above, it seems like people don't REALLY get the risk until they have become a victim.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller
                last edited by

                That's why they really drove that home. If you fell victim to it they made it clear that you screwed up and you were now considered a vulnerability in the organization and they made it clear that you let the company down and were not up to par.

                G 1 Reply Last reply Reply Quote 1
                • G
                  GlennBarley @scottalanmiller
                  last edited by

                  @scottalanmiller Unfortunate that those measure are necessary for users to really see the risk. But, at least for now, that seems to be the case...

                  scottalanmillerS 1 Reply Last reply Reply Quote 1
                  • scottalanmillerS
                    scottalanmiller @GlennBarley
                    last edited by

                    @GlennBarley said:

                    @scottalanmiller Unfortunate that those measure are necessary for users to really see the risk. But, at least for now, that seems to be the case...

                    Yes, if you want security to really be driven home you need to make people realize that they are accountable. It is way too easy to feel like the security and the risks belong only to the company and to not care about them. You have to find a way to make people realize that all security falls on them including the risks.

                    1 Reply Last reply Reply Quote 1
                    • DashrenderD
                      Dashrender
                      last edited by

                      Agreed, you have to get the onus onto the user. SMBs will almost never do this. So the training itself ends up being more of a waste of time and money.

                      You're better off removing as much access as possible from users, killing internet access, killing email, etc so they can't be tricked. Those seem like a better spend of your dollars.

                      scottalanmillerS 1 Reply Last reply Reply Quote 1
                      • scottalanmillerS
                        scottalanmiller @Dashrender
                        last edited by

                        @Dashrender said:

                        You're better off removing as much access as possible from users, killing internet access, killing email, etc so they can't be tricked. Those seem like a better spend of your dollars.

                        Read: Your best bet is to fire insecure staffers.

                        DashrenderD 1 Reply Last reply Reply Quote 2
                        • DashrenderD
                          Dashrender @scottalanmiller
                          last edited by

                          @scottalanmiller said:

                          @Dashrender said:

                          You're better off removing as much access as possible from users, killing internet access, killing email, etc so they can't be tricked. Those seem like a better spend of your dollars.

                          Read: Your best bet is to fire insecure staffers.

                          when you pay only 12/hr none of them care.

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Dashrender
                            last edited by

                            @Dashrender said:

                            when you pay only 12/hr none of them care.

                            Read: when you pay only $12/hr you don't care either 🙂

                            DashrenderD 1 Reply Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender @scottalanmiller
                              last edited by

                              @scottalanmiller said:

                              @Dashrender said:

                              when you pay only 12/hr none of them care.

                              Read: when you pay only $12/hr you don't care either 🙂

                              Ok, at what point do you? $15? $20/hr?

                              scottalanmillerS 1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @Dashrender
                                last edited by

                                @Dashrender said:

                                Ok, at what point do you? $15? $20/hr?

                                At the point where you are able to start hiring staff that cares. It's that simple. If you determine that $12 cannot get you secure staff, then paying $12 means you don't care. If paying $18/hr gets you staff that cares, that's how much you need to pay if you care.

                                That $12 means you don't care was based on the foundation of your statement.

                                1 Reply Last reply Reply Quote 0
                                • DashrenderD
                                  Dashrender
                                  last edited by

                                  OK that makes sense.

                                  The the larger problem is making the company care in the first place. Most places, including huge corporations wouldn't fire people over this. Until that trend changes, the other doesn't matter.

                                  dafyreD scottalanmillerS 2 Replies Last reply Reply Quote 1
                                  • dafyreD
                                    dafyre @Dashrender
                                    last edited by

                                    @Dashrender said:

                                    The the larger problem is making the company care in the first place. Most places, including huge corporations wouldn't fire people over this. Until that trend changes, the other doesn't matter.

                                    I agree with the problem of making the company care... but that doesn't mean we shouldn't train the end users... Even if 1 person learns something, we've don our job.

                                    DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 1
                                    • scottalanmillerS
                                      scottalanmiller @Dashrender
                                      last edited by

                                      @Dashrender said:

                                      The the larger problem is making the company care in the first place.

                                      Is it? If the company doesn't care, you shouldn't either. Making it not a problem at all.

                                      DashrenderD 1 Reply Last reply Reply Quote 0
                                      • DashrenderD
                                        Dashrender @dafyre
                                        last edited by

                                        @dafyre said:

                                        @Dashrender said:

                                        The the larger problem is making the company care in the first place. Most places, including huge corporations wouldn't fire people over this. Until that trend changes, the other doesn't matter.

                                        I agree with the problem of making the company care... but that doesn't mean we shouldn't train the end users... Even if 1 person learns something, we've don our job.

                                        To what end though? Spending the money but effectively getting zero security gain on the company to me is just wasting money. Even if you get 50% to sit up an listen and care, the other 50% can/will bring your company to it's knees.

                                        This must start with the company caring first.
                                        Unless I'm missing something?

                                        scottalanmillerS 1 Reply Last reply Reply Quote 1
                                        • scottalanmillerS
                                          scottalanmiller @dafyre
                                          last edited by

                                          @dafyre said:

                                          Even if 1 person learns something, we've don our job.

                                          If the company doesn't care, what makes this our job? I think the core thing here is not feeling that things are our jobs that the company has not made our jobs. It's less of an issue that a company doesn't prioritize this, but that we often prioritize it on our own.

                                          dafyreD DashrenderD 2 Replies Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender @scottalanmiller
                                            last edited by

                                            @scottalanmiller said:

                                            @Dashrender said:

                                            The the larger problem is making the company care in the first place.

                                            Is it? If the company doesn't care, you shouldn't either. Making it not a problem at all.

                                            You're right I said that wrong...

                                            The larger problem is that the company needs to care first. If they don't, nothing else matters.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post