ao link
Business Reporter
Business Reporter
Business Reporter
Search Business Report
My Account
Remember Login
My Account
Remember Login

American View: Are Your Cybersecurity Awareness Month Activities Wasting Everyone’s Time?

Linked InTwitterFacebook

It’s October, which means it’s “Cybersecurity Awareness Month” again. This year’s is the 19th iteration of companies devoting an entire month to the pursuit of glamourising and gamifying our arcane profession. Organisations worldwide are rolling out funny videos, mock game shows, branded swag prize programs, TikTok dances, and god-knows-what-else this October to try and convince their employees to … be “more security mindful” … or something.

 

To be clear, I’m not bashing the concept of dedicating time each year to raising awareness; that’s fine. I’m not mad about the carnival atmosphere that this once-sedate holiday season has evolved into (“It used to be about the passwords, man. Now it’s so … commercial!”). It’s all done in good fun. Heck, I like CAM because it’s the best time of the year to unbutton the metaphorical starched collar and get creative. Just like Halloween, CAM can be fun for everyone. Just … don’t expect it to solve your org’s more vexing security problems.

 

The biggest problem I see with CAM is that it often lacks focus. I chat about security outreach campaign plans with my peers, to keep up with (i.e., borrow) their best practices. Frustratingly, everyone I discuss CAM with seems to share the same “enterprise wide” attack plan for their initiatives: they saturate their user base with lowest-common-denominator messaging that promote the importance of basic security skills. “Strong passwords are good!” is … fine as message go, I suppose … but aren’t we already teaching that concept in every mandatory course in our users’ curricula? Is this message “reinforcement” really helping to change anyone’s most counterproductive security behaviours? I’m thinking “no.”

 

It can’t hurt, sure. That said, we’d get a lot more “bang for our buck” if we deemphasized the wide dispersal of basic advice and focused more on targeting the most ineffective processes in our organisation with precise pressure to improve. To paraphrase one of my senior sergeants, “why yell at ten privates about a recurring problem when you can chew out their squad leader who’s responsible for fixing the problem? Focus your efforts where it counts, lieutenant.”

 

As a practical example of this, consider this story I heard last week from “Jordan” (not her real name). Jordan works part time in a clothing shop that’s part of a prestigious national chain. Jordan’s been a top performer at her store for years and greatly enjoy her work. Despite not being particularly interested in technology, Jordan doesn’t mind the CAM messaging that her employer deploys every October. Jordan is well “aware” of the need for good personal security habits, having had her credit card numbers and personal information stolen more than once.

Jordan once had her credit card stolen at a duty-free store in Heathrow and used to purchase goods overseas before her flight home landed. She’s a hardcore believer in personal security practices.
Jordan once had her credit card stolen at a duty-free store in Heathrow and used to purchase goods overseas before her flight home landed. She’s a hardcore believer in personal security practices.

When Jordan’s boss phoned her last week and let her know that she was overdue for another mandatory training module, Jordan promised to try to knock it out first thing next time she had a shift. Why not take the course immediately? Three reasons: first, her company doesn’t allow their part time workers to remote into the company network … for “security reasons.” Seems like a weird restriction in the COVID age, but sure. Didn’t two years of “work from home” restrictions force businesses to invest in remote access solutions? Not this one!

 

That restriction meant that Jordan would have to drive to her store and take the course on a company PC. Not a big deal, since she lives less than 15 minutes from her store. Unfortunately, her employer’s HR policies prohibit workers from performing any work without being scheduled by a supervisor … and if Jordan drove to the store to take a thirty-minute training module, her supervisor would have to put her on the official work schedule first. Doing work without official permission from management constitutes grounds for dismissal. So, that’s out.

 

Finally – and this is the part that inspired this column – Jordan couldn’t access the new security course even if she was in the office thanks to her employer’s poorly designed Two-Factor Authentication setup. Hence, why she would only “try” to complete the danged thing.

 

Everyone’s familiar with 2FA these days. Getting into your bank’s smartphone app or website requires you to remember your unique account name and password and be able to receive and return a unique passcode sent to a personal device. I suspect that 10% of all CAM messages this October will mention how great 2FA is and why users should embrace it. We’ve been banging that drum for years … and our efforts have largely worked. 2FA is largely taken for granted as “how things are done” now. Woo-hoo. Can we check that box “done” and move on?

 

Jordan doesn’t need to be persuaded to use 2FA on all her accounts. She’s used it for years to secure her mortgage, her bank accounts, even her online shopping. When her employer rolled out 2FA protection for their corporate network, Jordan was a-okay with it. What she wasn’t okay with was how it implemented.

Buckle up. It’s about to get dumber.
Buckle up. It’s about to get dumber.

For reasons I can’t begin to fathom, Jordan’s company decreed that they wouldn’t register their users’ personal devices in their corporate 2FA program. So, that expensive smart phone that Jordan takes everywhere? The device that only she possesses? The encrypted computer that’s biometrically protected and always in her pocket? The device she religiously patches and trusts for all her oth4er 2FA authentication needs? Yeah, that device isn’t allowed.

Instead, Jordan’s employer will only register company landlines as 2FA devices. If you want to receive your one-time access code to complete your login at Jordan’s company, you must be in the store, next to a telephone, and free to take a call. Realistically, this means Jordan can only access her training assignments either before her store opens or well after it closes. The presence of any customer at the till means that phone calls must roll to voicemail.

To add insult to inconvenience, Jordan’s company’s security team registered the wrong office phone in their 2FA system. Jordan’s store comes in two parts: the public side of the store with all the merchandise and a small, private office slash stockroom in the back. The store’s only PC is in the back room, and it has a company phone positioned right beside it. logically, that should be the phone registered for 2FA … but no. Her IT team registered the phone at the checkout counter … The one next to the cash registers and the front door. Worse, the IT crowd refuses to change Jordan’s store’s info.

So, if Jordan wants to complete her new mandatory CAM22 “awareness” course(s), she’ll have to enter her user ID and password on her store’s only corporate PC in the back room, then sprint to the front of the store to pick up the till station handset to receive her random string of 2FA numbers, memorize the string, then sprint back to the stockroom to enter those numbers before they expire. It can be done, but it usually takes a few tries … provided there are no interruptions.

Perhaps this baffing “solution” was intended to be a subtle way to help the employees stay fit. More likely, I think, it was a combination of poor solution design and indifferent tech support. Jordan and her bosses have griped about this to their employer’s IT staff and have never found anyone who cared. As such, they’ve largely given up trying to stay current with their security team’s “super important security training.” I can’t blame her; if the company can’t be bothered to make their training available, then why should the employees make a heroic effort to complete it? Especially when the “training” is likely to be generic platitudes and reminders of the importance of concepts that they already know and want to implement?

“HO, HO! HEY, HEY! WE WANT WORKING 2FA!”
“HO, HO! HEY, HEY! WE WANT WORKING 2FA!”

Using Jordan’s story as an example, I think it’s a bloody waste of time saturating your organisation’s users with low-level “reminders” when you’d get a hell of a lot more value out of targeting the most dysfunctional elements in your organisation with pressure to correct systemic inadequacies. In Jordan’s case, her employer’s security team could improve their effectiveness ten-fold overnight by convincing their IT department to fix their bloody useless 2FA solution!

Effective systemic security changes must start with your most egregious – and self-imposed! – internal obstacles. Fix the issues that prevent users from complying with their mandatory security controls first, then your “awareness” messaging won’t fall on deaf ears. Jordan is an excellent example of a user who wants to comply … and is prevented from complying by the same people lecturing her on the importance of compliance! That sort of Catch-22 would motivate me to defenestrate an idiot or three. For better or worse, Jordan is more forgiving than I am. I don’t understand how she can be so chill about it.

Anyway, that’s my Cybersecurity Awareness Month advice, folks: fix your own foul-ups first before haranguing your users. Make your security systems and processes work so that it takes more effort to bypass them than to simply comply with them. Not only will that make your “training” more effective, it will build essential trust in your users by demonstrating that your security team really does have the users’ best interests in mind.

Linked InTwitterFacebook
Business Reporter

Winston House, 3rd Floor, Units 306-309, 2-4 Dollis Park, London, N3 1HF

23-29 Hendon Lane, London, N3 1RT

020 8349 4363

© 2024, Lyonsdown Limited. Business Reporter® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543

We use cookies so we can provide you with the best online experience. By continuing to browse this site you are agreeing to our use of cookies. Click on the banner to find out more.
Cookie Settings