Security Training: Moving on from Nick Burns Through Better Communication

Twenty years ago, Saturday Night Live nailed a tendency in IT to be overly absorbed in tech-speak and to do a poor job of educating users. The Nick Burns: Your Company Computer Guy skits showed rude IT guys belittling users as they fixed their “stupid” problems.

A recent experience highlighted that security awareness training and most alerts to users about unsafe practices may be making the error of being too general.

An alert came in one morning about a security alert generated by my device. It contained no data about what I had done, what email or website, or when this happened. Just a generic “watch out” and “don’t do it again.”

I wanted to get to the bottom of it. I’ve been writing about phishing scams, advising users not to click on suspicious attachments or links, and covering cybersecurity in general for years. I was intrigued. What had I done exactly? How had the bad guys tricked me? Or was there some new angle to all this I needed to know about?

I had some back and forth with a corporate IT guy to narrow it down. I finally managed to get this “enlightening” explanation:

“We have observed a suspicious zip file Edge.8ce3fe.zip which on sandboxing, observed execution spawning wscript.exe and querying HTTP requests reaching out to the malicious URL d6d99bf2[.]app[.]pgica[.]org and IP 176[.]10[.]124[.]180 to download additional malware and deletes itself after installation. SocGholish (aka Fake Updates) is a JavaScript-based malware that masquerades as a legitimate browser update delivered to victims via compromised websites. SocGholish establishes an initial foothold onto victim networks that threat actors use for further targeting with additional malware or even ransomware. Here in our case, we observe fake Edge.js, which apparently is malicious .js. No active connections were observed towards the IOC’s in DV.”

This didn’t help. I asked for more information on where the zip file had come from and how it was triggered. Despite many emails, I still don’t really know how it happened.

IT just treated me like yet another dumb user and told me to be more vigilant in the future. Bottom line: I learned nothing from the experience.

See the winners of eSecurity Planet’s 2022 Cybersecurity Product Awards

Echoes of Y2K

This reminded me of an earlier experience during the Y2K scare of the late ’90s. The media went into a frenzy over the possibility that as soon as the clock struck midnight on New Year’s Eve of 1999, the world would end as all computers would shut down. Why? Their time clocks were set for two digits. A panic went through IT as everyone scrambled to fix the Y2K bug.

I wondered if I might be impacted, so I bought software from Symantec to check it out. The program did a scan and provided me with a list of hundreds of “possible problems” written in technical lingo. In other words, it didn’t narrow anything down to something like, upgrade your Bios or provide any other tangible item to address. I tore up the list, ignored Y2K from that point onwards, and lived to tell the tale.

Here, we are more than two decades later, and it appears IT still can’t get its act together by offering sensible user direction directed toward a definite target that is comprehensible and actionable.

My takeaways from the experience?

• Some in IT are ill-suited to helping users understand security-specific information.
• Lack of specifics in alerts may cause users to repeat their flawed behavior.
• Security awareness training should incorporate tailored alerts and customized training or education to help users become more aware.

Security Awareness Training Improvements Coming

“As part of security awareness training, users receive short, monthly reinforcement training modules of a couple of minutes as well as monthly simulated social engineering test emails,” said Stu Sjouwerman, CEO of KnowBe4. “While it is vital to cover the fundamentals and broad things to watch out for, the next step up is to monitor what the employee does in real time.”

The good news is that such capabilities are in the works. KnowBe4, for example, has offered previews at the Black Hat USA conference of a new product known as SecurityCoach, which will be integrated into its suite of security awareness training tools.

SecurityCoach tracks risky user behavior such as plugging in a USB drive, clicking on a malicious attachment, or accessing a compromised website. The user immediately gets an alert specifying how this violated policy along with a 30-second video security tip to explain the risk posed by that behavior. These messages can be sent via Teams, Slack, or email.

“You can’t throw 15 technical terms at users that only IT and security specialists will understand,” said Sjouwerman. “Security tips should be extremely user-friendly and non-technical.”

That’s a good start. Hopefully, the next time I am the subject of a security alert, I’ll actually be able to find out when I ill-advisedly clicked, on what, and what risk that posed.

Read next: Best Cybersecurity Awareness Training for Employees