Training Trouble: Why E-Learning Doesn't Work for Everyone

I took a little look back at my calendar today and it seemed high time for a blog. My colleagues and I took a little hiatus to finish up the first draft of our corporate book—a project 6 months in the making and one we are very excited to be bringing your way soon. Check back throughout the year for more information about how to get a copy of our step-by-step guide, From Here to Security.

But for now, we're back in the business of blogging—and with something a little different this time.

I know my blogs usually cover ITSec, security breaches, and big business blunders when it comes to securing sensitive information. But in my work on the book, I've really felt a renewed interest in covering the "Why" of all that. Why are companies struggling to close the gaps in corporate security? Why are we seeing a dramatic rise in security breaches in the news?

While I don't believe there is one right answer that covers everyone, I do think that inadequate training has a lot to do with it.

I was poking around some e-learning sites today and stumbled across this article: 5 Reasons that Everyone Should Know: Why E-learning Projects Fail. And, in fact, Sonal Paul does a pretty good job laying out a number of the pitfalls companies fall in when establishing an online training program. According to Paul, the 5 main problems are

• Poor Need Analysis
• Gaps in Communication
• Poor Project Management
• Failing to Understand the Learner
• Wrong Instructional Strategy

Bing, bing, bing! That list hits some pretty big nails right on the head. As a company that specializes in crafting training campaigns and individual courses for big businesses, I'd say that our clients run into at least one of these in almost every project (and especially big projects usually struggle with all five).

But listing the problems doesn't even come close to solving them. Many of our e-learning clients would be ill-equipped to address these issues even if they were well aware of the problems up front. So I'd like to take Paul's article a step further and offer some practical advice on each of these points.

Data Breach Costs Rise 9% in 2013

The 2013 statistics are in from the Ponemon Institute.

So just how much money did companies lose last year to data breaches? Which industries are most at risk? Let’s break down the facts for 2013:

• Average cost of a data breach to US companies: $5.4 million
• Average cost per lost record: $201
• Industries with highest breach costs (in this order):
• Healthcare
• Transportation
• Energy 
• Financial services 
• Communications 
• Pharmaceuticals
• Manufacturing

While 2013 did not reach 2011’s high ($214 per lost record), this information still represents a 9% rise in data breach costs from last year’s $188 loss per lost record—and they think this may be due to loss of customers. A 15% “churn rate” (or tendency for customers to abandon a company) based on a data breach represented a steep increase from prior years. Folks are getting wise to companies that don't make securing their sensitive information a priority.

Will this rising cost trend cause companies to sharpen their security behaviors and stay on top of the dangers? We hope so. After all, security is our business. 

Maybe your company in that high-rilibrary of security courses, security awareness campaigns, or even social engineering consulting and penetration testing. These first steps can go a long way towards ratcheting those costs down and keeping customers feeling safe and satisfied. 

sk list. Maybe you are a small company with limited resources that still feels the pressure of social engineering and identity theft. Or maybe you just need more ideas about how to secure your own company’s assets. Consider Sight Training’s

More About Corporate Security

Oh the Humanity: Picture of a Thief

In order to improve security awareness among staff, the first step is to change each employee’s mental picture of what it means to be a thief. Every social engineer who calls will not be an easy-to-spot gentleman with an oily voice and diabolical laugh. Awareness cannot be based on preconceived notions about gender, personality, and level of authority.

In order to be successful, social engineers will go to any lengths, will play on your employees’ weaknesses, and will find ways to get in their heads.  For many men, that weakness is a friendly girl.

For some folks, it might be a helpless old lady. Here’s another story that illustrates one of the two main problems with employee-based security.

Are Buzzfeed Quizzes Lowering our Defenses?

So I’ve been toying with shutting down my Facebook account again—mainly because it gets on my nerves. The simple act of scrolling through the posts each morning has reached a ratio of 20% pleasurable and 80% grind. One reason? Buzzfeed quizzes.

Oh, Buzzfeed quizzes. Zimbio quizzes. Shudder.

To be fair, I’ve taken my share. The nerd gene in me just has to know what character I most identify with in every Joss Whedon universe. And while I rarely share my results (because that’s pretty annoying), I have started to wonder about some inherent dangers in the culture of quiz taking.

So, I spent a little time on “Internet research” yesterday (read: surfing the web). I wanted to see if I could get any hard, fast evidence that the data in Buzzfeed quizzes were dangerous. Do they harbor malware? Are they used for phishing purposes? Are there records of any data breaches that stemmed from a Buzzfeed quiz?

Not really. Although it would be a pretty clever ruse for social engineers, it appears that the quizzes are fairly harmless. The danger, it seems, lies more in the attitude and culture behind these personality tests. So many of my “friends” (ok, friended acquaintances) rant regularly about the dangers of Facebook privacy settings. They have a real “Big Brother is watching” or “Everyone is out to get my personal information” complex. But these folks may be very the same ones who will readily answer personal question after personal question in a Buzzfeed quiz and then share the answers with anyone who scrolls past their profile.

Jordan Shapiro hit the nail on the head for me in an article this past January.

“Why is it that when it comes to novelty quizzes, we enjoy being analyzed by simple algorithms that divide and reduce us into a limited number of determinate categories, but when it comes to Google and the NSA we’re terrified of the same thing?”

Personal information is personal information, whether is stolen from us by a social engineer, secretly gathered by the NSA, or voluntarily offered through an online personality quiz.

We seem to have developed an almost desperate need to share our opinions or facts about ourselves in an effort to identify with a larger group of like-minded people. Go ahead and admit it. You feel good when your poll answer is the most popular. The appeal of belonging has made many of us irresponsible—and irresponsible Internet users can be easily lured out of their comfort zones and into a trap.

While the danger may not come directly from an online quiz, click-happy Internet users are bound to slip up in other areas. And the more comfortable we become with oversharing, the more likely we are to find ourselves victims of social engineering scams or identity theft.

“Well, but…what difference does it make?” you say. “It’s not like they’re asking for my social security number. The results are all made up.” OK, that’s true. There is no proven rubric designed to accurately determine which superpower you should have, or whether or not you would in fact die of dysentery on the Oregon Trail. Yet, that does not mean the questions have no value to someone.

“We brush them off as ‘merely entertainment,’ forgetting that by participating–through the act clicking–we’ve once again provided Google with a plethora of personality data that is forever stored in our file,” says Shapiro.

In fact, some limited evidence suggests that quiz and Internet poll builders may be inserting more probing questions into harmless entertainment quizzes to get an idea of who you are, how you behave, or even what you might choose to buy. Lee Munson at BH Consulting gave his take on it in this week's Security Watch blog on oversharing. 

“…in a few instances the polls can pose some more serious questions…sometimes some of the sneakier sites on the web will even make completion of the poll mandatory in order to proceed onto your ultimate aim of, say, reading a particular news story. Such polls may not demand your name and address but they do drift roughly into areas of personally identifiable information.”

 He also offered a bit of sound advice.

“If you share information you need to be alert. Even if you are divulging personal information within an environment in which you feel safe, you need to be certain that the audience is the one you expect. I myself have a few friends who have completed polls on Facebook only to later discover that they actually handed all that info to a third party unawares.”

It may be time to find new ways to entertain ourselves rather than buying in to a culture of irresponsible clicking and mindless answering. While I may never know which Twin Peaks character I am or how well I know the movie ‘Clueless,” at least no one else will either.

More about Information Security

More Hooks in the Water: Spearphishing Up 91%

This just in from Symantec: spearphishing increased 91% in 2013.

Here’s why: it still works. Even though security awareness training and a constant stream of worrisome new stories may be improving the average employee’s click-through rate in run-of-the-mill phishing emails, social engineers still know just how to pinpoint the areas that will lower even a seasoned email user’s defenses. That’s just what spearphishing is: targeted attacks that are hand-crafted to startle or scare an employee into making a bad decision—usually clicking an embedded link that routes to a fraudulent website prepared to collect personal information.

According to Symantec, two of the most common words in last year’s string of emails were “order” and “payment.” In our experience, words like “benefits,” “payroll,” “cancelled,” and “dropped” also do the trick.

Phone Fraud Flavor of the Month: 2014's IRS Scam

I spent a little time this morning reading about that new IRS scam that’s running rampant during the 2014 tax season. You know the one—you can read all about it here, It’s the one where social engineers claiming to be IRS officials bully people into offering sensitive information through threatening phone calls.

Actually, that doesn’t sound so new, does it?

That’s because it’s not. It’s the same pretexting technique that scammers have been using for years. Even though each year (or each tax season or election or Olympic Games or world relief effort) brings a new wrinkle to the scam, there is nothing new here, folks. It’s just another example of how thieves try to steal sensitive information from regular people. Every. Single. Day.

The possibility of daily threats demands constant vigilance—and you are raising your awareness just by reading this. But maybe it’s time for a little refresher on the best ways to handle any social engineer who comes calling.

It Could Happen to You: The Value of Small Biz to Attackers

Read this little article yesterday and thought it might make a nice follow-up to last week’s interview with Naoki Hiroshima. Quick update on that story: @N has been restored to its rightful owner.

Unfortunately, though, that was not an isolated incident. In fact, according to this recent article on The Verge, small and mid-range companies should be especially alert to these kinds of attacks.

”Stories like Meetup's are less surprising to companies in the business of DDoS mitigation — like Cloudflare, which is currently helping the site recover. CEO Matthew Prince says they're most commonly launched against gambling sites or midrange e-commerce sites, as in this example from 2012. They're businesses with enough success to suffer from a few days of downtime, but often not enough foresight to invest in DDoS protection.”

Wasted Energy: How Info Purges and a Third-Party Test Could Have Helped the DOE

There’s been a lot of online chatter this week about last summer’s Department of Energy breach—and rightly so. 150,000 affected employees is nothing to sneeze at. The worst part? All the affected employees may not even know yet.

The Real Cost of Data Breach Cleanup

In our experience, there is not a deep enough respect in the market for how difficult and expensive the notification requirements for data breaches can be. Not only can this cause public embarrassment, but it can also put the organization at serious legal and financial risk. Many organizations are mostly worried mostly about the intrinsic dangers of losing the actual data but do not demonstrate fear or motivation to invest in preventing the process of notification and remediation.

Picture Yourself Secure: Passwords, Phrases, and the Future

In 1492, Columbus sailed the ocean blue…

Every Good Boy Does Fine….

Thirty days hath September….

Ah yes…mnemonic devices. Those performance-enhancing tools used successfully by middle schoolers and beginner-level music students all over the country for…well, for forever, it seems.

Enter any 7th grade classroom on test day and you’ll see small, strained faces searching their memory banks for that rhyme or song that will bring to mind the order of taxonomy (“King Phillip Opens Five Green Snakes”) or the five Great Lakes (HOMES).

Depending on your college degree, you might have carried this technique into college. But most of us probably gave up these memory aids along with No-Doze and an actual Spring Break after tossing our grad cap in the air.

But why? The human brain loves association and repetition at any age and for any reason—and that’s why researchers at Carnegie Mellon think we should keep it up when it comes to security.

Oh, The Humanity: The Danger of Anonymity

And now for something a little different. Throughout our “Oh, the Humanity!” series, we want to demonstrate some of the most dangerous ways social engineers can infiltrate a company—and pretty often, that involves the phone or email. But every now and then, it’s a simple (and downright silly) move that gives a thief access to very sensitive information.

Security Breach: Signed, Sealed, Delivered

Here's the story. When we begin a project with any company, one of things we most want to demonstrate is how easily we can get access to their network as outsiders. While social engineers are frequently insiders, we often attempt to replicate that level of access from our “basement.”

In one case, we discovered that we couldn’t just download a standard VPN client. This company required that employees install it from a preconfigured CD. We had to figure out a way to get the CD and not expose ourselves as social engineers.

Open Letter to IT Departments: People are Important to Your Security Plan.

Read a Dark Reading article this morning that I really enjoyed. First of all, any article on information security that can work in the zombie apocalypse is A-OK in my book. Nicely done, Glenn Phillips.

And you know, the comparison works surprisingly well. Way too many businesses focus on just a few security dangers (for example, amassing weapons to blow away those pesky zombies) without addressing the whole picture of security (forgetting to stockpile water so you don’t…well…die).

Another problem? Letting an IT team dictate what works and what doesn’t without really considering what Phillips calls “the human component.”

I especially identified with Phillips’ example of the IT department requiring new impossible-to-remember password every 60 days. I’ve worked in places like that, where IT made those sorts of demands with a sort-of “Do it or else” attitude. This was ineffective. Those demands were usually 1) ignored and 2) laughed at.

Oh, the Humanity! Train Employees to Say "No" to Social Engineers

Let’s set the scene for the third social engineering tale in our story series “Oh, the Humanity.” A Fortune 100 company asked us to test their defenses against pretext calling, email phishing, and physical security. The best part? They pretty much just gave us carte blanche and asked us to figure out how a social engineer would develop an attack.

After making a few phone calls and obtaining a few seemingly innocuous pieces of information (we call them “building blocks”), we decided to make an attempt to obtain VPN access to their network. Through their audit, we had already obtained the Cisco VPN client and had numerous usernames and passwords. All we needed was a host name.

Frontline Employees: Stop Being Polite and Start Getting Suspicious

Back in the late 90’s, I began a career path in college administration. I started slow, worked my way around a few schools, and tried out lots of positions: lowly student intern, undergrad admissions officer, International student admissions coordinator, marketing and creative officer. At one school, I even took over admissions for a while.

And I loved it, most of the time. There is something exciting about growing a department from the inside; creating policies and procedures that improve life for everyone, helping young people realize their dreams. I worked at some outstanding institutions.

But every institution I attended, visited, or worked for struggled with a common issue: low-level security awareness among frontline employees.

Employees and Social Media: If You Can’t Beat ‘Em, Then Train ‘Em.

With the exception of few stodgy holdouts, pretty much everyone has a social media account or two—or maybe five. I mean, why share everything on Facebook? Why not open up the fascinating details of your suburban, middle-class life to a wider audience? There are life-changing food photos to post to Instagram, quippy thoughts to share on Twitter, and that hilarious meme you whipped up last week that’s begging to get posted on Reddit. More exposure! More, more, more!

An awful lot of us have this attitude now—and if your supervisors are aware of your tendency to tweet first and apologize later, then they may be freaking out. In fact, according to a Javelin Research report from earlier this year, 69% of companies are concerned about employees’ social media use. While a half hour here or there may not seem like much, even on the company clock, it can add up to a lot of lost revenue, thousands of security threats, and plenty of potential bad press if you can’t keep it in check.

Fortunately, according to CSIdentity, businesses have two good options to keep their employees’ social media usage from causing harm to the business: create clear policies and keep employees educated.

Cute-Girl Voice: A Social Engineer's Secret Weapon

This just in: a highly informal study of a teeny tiny group of people suggests that men may be more likely to give up sensitive information over the phone if they think they’re speaking with a cute girl.

Surprised? Yeah, me neither. What did surprise me, though, was just how easy social engineering really was.

Information Security in 2013: Are Passwords Really Dead?

According to Heather Adkins, Google’s information security manager, “the game is over” if your company is still relying on passwords as a primary form of information security protection.

Adkins laid it all out when speaking at a recent tech panel. Apparently, Google’s done with passwords and we should be too. She went on to describe a new means of authentication that could require physical tokens embedded in clothing. And who’s behind this world changing, space-age technology? You guessed it—Google.

Sex, Money, and Friendship: Phishing Bait that Works

In a recent study by TNS Global, 30% of the 1000 polled said they would open a general phishing email even if they thought it had a virus. And if the phishing emails are crafted to be especially enticing, then the percentage is even higher.

Wait...what?

Evidently, a simple email click is still awfully hard to protect against. Even though we all know what to do (and what not to do) a compelling email can throw good sense out the window and even the most educated people can fall for it. According to the study, this is especially true if the email tempts women with social networking invites (interesting) or tempts men with money, power and sex (yeah, no kidding).

So What Does the Dropbox Hack Mean for You?

So, a couple of months ago, two developers decided to hack Dropbox. Just because. You know what this world needs less of? VOLUNTEER hackers.

Mobile Device Security: More than Software

When it comes to mobile security, everyone is still a little bit in the dark. After all, everyone and their grandma has a Smartphone or tablet right now, but the general public’s information about the true threats to their devices is probably limited to computer viruses or bugs—little things that are automatically corrected with anti-virus software.

California Releases First Data Breach Report

The State of California just released its first data-breach report for 2012 last week. Some of the report’s key findings include:

• Reports of 131 data breaches affecting more than 500 Californians.
• The breaches exposed 2.5 million Californians’ personal data.
• More than half of the breaches (56 percent) involved Social Security numbers.
• The use of encryption could have protected 1.4 million Californians’ data.

Yet, one of the most striking quotes was that “more than half of the breaches (55 percent) were the result of intentional intrusions by outsiders or by unauthorized insiders. The other 45 percent were largely the result of failures to adopt or carry out appropriate security measures.”

That says to me that breaches are all about people—whether they are social engineers or hackers intent on fraud, or regular hard-working employees who aren’t adequately protecting the information they access.

In either case, it’s obvious that California can’t really blame the computers. These breaches are a people problem, and can also be solved with people—people who are adequately trained to ward off hackers and social engineers and take steps to safeguard data or devices that contain sensitive information.

California Attorney General Kamala D. Harris opened the report by reminding readers of California’s strong consumer privacy laws and required data breach notification. If our “strongest” state still has data leaks to plug, then I wonder how the other 49 are faring.

http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/2012data_breach_rpt.pdf