There is one form of security training that I advocate: Send your developers and system administrators to hacking school. Teach them how easy it is to bypass most security settings and defenses. By doing so you will induce a healthy paranoia that will counteract the typical attitude of “security slows me down.”
But for executives, call center personnel, plant labor, shipping and receiving personnel, and non-IT staff you can find much better ways to invest your IT security budget than in security awareness training.
Protect them against executables in emails. Install anti-spyware and anti-phishing defenses. Make it impossible for someone to give out credentials over the phone by deploying token authentication devices. Use proximity ID’s, biometrics and cameras for building access if you perceive a risk of unauthorized personnel wandering around your facilities. Don’t rely on your people to stop suspicious characters.
For every attack there is a defense. For every gambit in chess there is a response. But social engineering is too broad in application to be countered with just security awareness training.
In most cases you are better off investing in new controls and technology than throwing away resources on ineffective training programs. When confronted with an argument in favor of training ask yourself: “How can I address this risk by changing my policies and engaging technology solutions?” before you authorize spending on something that will do nothing to increase your overall defense posture or reduce your risk.
Richard Stiennon is the former vice president of Threat Research at Webroot Software and now the founder of IT Harvest, an IT security research firm. He is a holder of Gartner’s Thought Leadership award for 2003 and was named “One of the 50 Most Powerful People in Networking” by Network World Magazine.