Think security's too technical to teach to everybody? Think again.
That misperception leads to a plague of problems, from USB-introduced viruses, to spending a fortune on fixing products after they’ve shipped. In this, the first in a series on teaching security to the nontechnical, we start with converting the security heathens.
It was a ridiculous, old-school, client/server application. It moved money around internally, completely unencrypted — lots and lots of money: this was a huge financial services firm.
This wasn't in the dark ages, mind you. This wasn't pre-Internet. It was only two or three years ago.
Without encryption, anybody who knew where to put a network sniffer could intercept that traffic and do nasty things, such as spying on other network users, or pocketing passwords and other sensitive information.
What makes it even more baffling is that the fix would have been as simple as pie: turn on SSL, and the problem goes away (or, at least, intercepting data gets a lot harder).
But no, there was no encryption. The thinking went along the lines of, "The network's internal. It's more important that we secure externally facing resources, like our Web site."
Rob Cheyne has heard plenty of misperceptions like that. He's heard that security will add more work to people's days, that it adds too much time to product development, that security is somebody else's job, and that nontechnical people can't learn security because it's too complex or technical.
Cheyne is the CEO of Safelight Security, a security education company. He's worked with hundreds of companies worldwide, and he's taught security to everybody in those organisations, from IT staff to call centre crew, middle management, software architects, upper executives, and product managers.
I talked with Cheyne recently about how to teach security to the non-technical — and also to the technical, for that matter. He has a six-step process, the first step of which is to convince your trainees that security is important. What follows are his suggestions for how to do that.
(I'll be covering the other steps in subsequent articles, such as imparting a dose of hacker mindset, debunking security myths, giving demonstrations of real-world attack scenarios, teaching security fundamentals, offering specific actions to take for different roles in the organisations, and customising training for those different organisational roles. Stay tuned.)
Discuss Real-World, Industry-Relevant Security Incidents
Cheyne suggests describing three or four incidents that have happened to companies in the same industry as the organisation that's receiving the training.
Say you're conducting security training at a retail company, for example. The TJX breach of 2006-2007 would be a prime example to show how the industry is a valuable target to criminals: by the end of March 2007, the number of customer records downloaded by intruders, including credit card numbers, social security numbers and driver's license numbers, exceeded 45 million. The breach was possible because of an unsecured wireless network in one of the stores.
Most industries have their TJX.
Discuss what Attackers would Go After
When Cheyne visits a client's site, he likes to indulge in a hobby that's common with security professionals: screwing with security. He's typically issued a badge to enter the building, but he likes to try to get in without presenting it. "I pretty much succeed 100% of the time," he said. "Once in, nobody's going to notice me. Then I get to break all the assumptions they had about their security model."
Your trainees will hopefully already have good ideas about what attackers would target in their organisation, but this kind of exercise can help prime the pump. Cheyne also uses interactive computer games where users step through a virtual office and click on security risks: unlocked computer screens, open office doors, bins full of sensitive documents.
Explain What's at Stake
Examples: Their business. Their reputation. Compliance failure. Resulting regulatory fines. Costs to investigate, mitigate, and provide identity theft protection.
You might well get pushback. Cheyne, when bringing up the TJX breach, has had to address the fact that the company's stock didn't suffer. But that's because they did things right, he said. It involved plenty of work and expense: TJX's costs had ballooned to £160 million by August 2007, according to The Boston Globe.
Wash, Rinse, Repeat
I asked Cheyne if, years after he'd conducted security training, the huge financial services company ever fixed the client/server application that was shuttling unencrypted financial data around.
He said he wasn't sure, but he kind of doubted it.
"It's recent enough that they haven't fixed it yet," he said.
But assuming that the security training was effective, and assuming that he had convinced the trainees that security was important, you'd think that they'd have taken care of such a problem, right?
"Well, some people kind of get it, and some kind of don't," he told me. "Some do, but it's typical for large companies to have a changing of the guard, and then they go back to not getting it."
The moral of the story? Convincing people that security matters isn't a one-off challenge. Expect to repeat yourself.
Editor's note: Check out Lisa's entire six-part series: