Читать книгу Security Awareness For Dummies - Ira Winkler - Страница 20

The section heading might anger a lot of security awareness professionals, but I see the idea of the human firewall as a dangerous myth. The idea that users are your last line of defense (which is a catchphrase for many phishing simulation companies) is fundamentally wrong.

First, consider that users are not the last line of defense in any practical way. For example, if a user clicks on ransomware, the user environment can stop the user from downloading malware by not giving the user permission to install software. Even if the software is downloaded and installed, antimalware can stop the ransomware. To accept that the user is the last line of defense, you have to discount many useful technologies that are commonplace in organizations.

Michael Landewe, the CTO of Avanan, said it best:

If a user is our last line of defense, we have failed as an industry.

Regarding the claim of creating a human firewall, in principle it sounds great, but any security professional knows that even technical firewalls will fail. Users are less reliable than technology. Creating a human firewall implies that you will create an entire organization of users who always behave appropriately and securely. That isn’t possible, however. Though humans can consistently behave well, no individual (and especially no group of humans) in the history of mankind has always exhibited error-free behaviors.

Consider also that although other technologies do only what they’re instructed to do, humans can have malicious intent. If you leave your users as your last line of defense and they’re malicious, the results will be disastrous.

I want you to create the best security awareness programs possible, but you need to remember where you fit within the overall chain of actions. If you give the impression that the user has ultimate control of your systems, then the first time a user fails, you fail in your self-described mission, which can damage the credibility of your program. Consider that you don't even see people who manage firewalls imply that their firewalls will stop all attacks from getting in. If you spout off to management that you will create a human firewall to repel all attacks targeting humans, then the first time a user fails, your program has failed based on your statements. Everything else you do will be met with skepticism, including requests for budget funds, personnel, time, and other resources. Don’t set yourself up for failure from the start.

The reality is that most people don’t give users and security awareness programs enough credit. Every time a user avoids clicking on a phishing message, your awareness efforts are successful. Every time a user locks up sensitive information, your awareness efforts are successful. Every time a user protects their screen from shoulder surfers, your awareness efforts are successful. These successes happen all the time.

Your users are a critical part of your organization’s system, and your efforts can significantly reduce loss. Aware users have helped organizations avoid disaster. I have personally been involved with users who have thwarted major attacks. Even when attacks have been reported after the fact, aware users responded appropriately, alerted the appropriate people, and significantly reduced the resulting loss.

The awareness programs you create can provide an immense return on investment. Just be sure that you set realistic expectations.