Security awareness techniques rarely work, as too many employees rarely report or spot intrusions.
Speaking at the opening of the Geek Street stage at Infosecurity Europe 2019, Holly Grace Williams, technical director at Secarma, said that too much security awareness training is taught from a negative approach, and this doesn’t work.
Pointing at common efforts to “tailgate” an intruder, Williams said that when doing a physical security test, she had rarely been challenged as a tailgater, as in one instance she was able to access a door that had been propped open with a bunch of car keys. From this, she was able to get to an empty security desk, and see the security guard’s open email and camera screens.
On the case of physical security barriers, Williams said that often the alarm on these is so quiet that no one would notice it sounding. Another way to bypass barriers is to wait for a scheduled fire alarm, as the workplace leaves together and barriers are either bypassed or opened.
Looking at the “bystander effect,” pointing at academic research Williams said that this relates to how people react to an emergency and non-emergency instances. “In a group, 10% will do something about it, if they are on their own they are more likely to do something,” she said. “A stranger is less likely to react if they are surrounded by other people.”
Williams added that staff will not challenge strangers, and strangers “infrequently get challenged.” She said in an test, she will often go with another tester and when she is challenged, the other person acts as a “plan B.”
“Also, you are less likely to be challenged with two people,” she said. “If staff do not have the courage to challenge them for ID, is there a way to report it? This is a problem with bystander effect.”
In closing, Williams also mentioned problems with phishing emails and bad password practice. For the former, she said that all-too-often people are caught out by phishing emails with simple spelling mistakes, and there is no way for malicious attachments to be spotted and reported by employees.
For passwords, Williams recommended using multi-factor authentication or password managers, but asked how many businesses provide a password manager for staff to use?
Concluding, Williams said that there is a disconnect between what pen testers and cyber-criminals can do, and what staff can report, and “diffused responsibility lowers the chance of a challenge.”