Safety Training: Moving on from Nick Burns through better communication | Panda Anku

20 years ago, Saturday Night Live nailed IT’s tendency to over-engage in tech-speak and under-train users. Nick Burns: Your Company Computer Guy skits featured rude IT guys belittling users while fixing their “stupid” problems.

Recent experience has shown that security awareness training and most warnings to users about unsafe practices may make the mistake of being too general.

One morning an alert came up about a security alert generated by my device. It contained no data about what I had done, what email or website, or when it happened. Just a general “caution” and “don’t do it again”.

I wanted to get to the bottom of it. I’ve been writing about phishing scams, advising users not to click on suspicious attachments or links, and covering cybersecurity in general for years. I was fascinated. What had I done exactly? How did the bad guys trick me? Or was there a new angle to all of this that I needed to know about?

I had some back and forth with a company IT person to narrow it down. I finally managed to get this “revealing” explanation:

“We observed a suspicious ZIP file sandboxing the execution spawning wscript.exe and making HTTP requests directed to the malicious URL d6d99bf2[.]apartment[.]pgica[.]org and IP 176[.]10[.]124[.]180 to download additional malware and deletes itself after installation. SocGholish (aka Fake Updates) is JavaScript-based malware that disguises itself as a legitimate browser update delivered to victims via compromised websites. SocGholish creates a first foothold in victim networks, which attackers use for further attacks with additional malware or even ransomware. Here in our case we are observing a fake Edge.js which appears to be a malicious .js. No active connections to the IOCs in DV were observed.”

That didn’t help. I asked for more information on where the zip file came from and how it was triggered. Despite many emails, I still don’t know exactly how it happened.

IT just treated me like another stupid user and told me to be more vigilant going forward. Conclusion: I learned nothing from the experience.

Check out the winners of eSecurity Planet’s 2022 Cybersecurity Product Awards

Echoes of Y2K

This reminded me of an earlier experience during the Y2K scare in the late ’90s. The media got excited about the possibility that as soon as the clock struck midnight on New Year’s Eve 1999, the world would end as all computers shut down. Why? Their time clocks were set to double digits. Panic swept through IT as everyone scrambled to fix the Y2K bug.

I wondered if I might be affected, so I bought software from Symantec to check. The program ran a scan and gave me a list of hundreds of “possible problems” written in technical jargon. In other words, it hasn’t been limited to updating your bios or providing other specific points that need to be addressed. I tore up the list, ignored Y2K from that point on, and lived to tell the story.

Here we are more than two decades later and it seems that IT still isn’t able to pull itself together by offering sensible user guidance that is focused on a specific goal that is understandable and actionable.

My knowledge from experience?

  • Some in IT are inadequate to help users understand security-specific information.
  • The lack of detail in alerts can lead users to repeat their erroneous behavior.
  • Security awareness training should include tailored alerts and customized training or education to help users become more aware.

Security awareness training improvements are coming

“As part of the security awareness training, users receive short, monthly reinforcement training modules of a few minutes, as well as monthly simulated social engineering test emails,” said Stu Sjouwerman, CEO of KnowBe4. “While it’s important to cover the basics and general things to look out for, the next step is to monitor what the employee is doing in real-time.”

The good news is that such skills are in the works. For example, at the Black Hat USA conference, KnowBe4 previewed a new product called SecurityCoach that will be integrated into its suite of security awareness training tools.

SecurityCoach tracks risky user behavior such as plugging in a USB drive, clicking on a malicious attachment, or accessing a compromised website. The user immediately receives an alert detailing how this policy was violated, along with a 30-second video safety tip to explain the risk posed by this behavior. These messages can be sent via Teams, Slack, or email.

“You can’t throw 15 technical terms at users that only IT and security professionals understand,” says Sjouwerman. “Safety tips should be extremely user-friendly, not technical.”

This is a good start. Hopefully, the next time I’m the subject of a security alert, I can actually find out when I clicked unwisely, what it posed, and what the risk was.

Continue reading: Best Cybersecurity Awareness Training for Employees

Leave a Comment