While doing research for an upcoming feature on insider threats, I had a conversation with Nick Levay, information security and operations manager at the Center for American Progress (CAP), a DC-based think tank. Although some of what he shared could not be squeezed into the article, his thoughts on the value of security education are important nonetheless, so I wanted to pass it all along to you.
First, Levay calls anti-virus the worst tool in today’s security toolkit. He assured me that there is a undoubtedly a role for certain technologies, but that anti-virus is really an outdated approach to security. So what is the most effective tool, you may ask?
“Education is the best tool in the toolkit these days”, Levay told me, but this is something I have heard over and over again. So Levay provided me with some anecdotes to back up his claims.
Levay said the return on investment for CAP’s educational programs cannot be understated, and that anyone who is responsible for organizational security today should, at the very least, give a spear phishing talk to users.
Since CAP started educating targeted users on how to spot spear phishing campaigns, Levay joked that they have become “detection ninjas”. Now, he continued, “most of the people who are targeted by this are so well trained to spot spear phishing that I wind up having users forward spear phishing emails to me before I can even detect them”.
Levay also cites poor password selection as a large, unintentional insider threat. He said CAP conducted a brief training session on forming memory pneumonics in password selection and found that, after just one session, the percentage of strong passwords within his organization shot up by 30% as determined by an audit.
So, the lesson here is that technology is great, if you can afford it. But a little learning can go a long way.