If you attend a cyber security conference, you'll probably hear a lot about social engineering threats and what we need to do about it. You may also hear a lot about security awareness training and how we need to be doing more of it. If you read the news or follow along on people's Twitter feeds you'll see a lot of "users are dumb" rhetoric about why they can never seem to spot a phishing attack when it hits their inbox.
I believe that we are asking ourselves the wrong question. Instead of asking ourselves why users keep falling for phishing attacks why not ask ourselves why we keep letting it matter? Why do we allow those attacks to get through our systems, to their inbox? Why do we allow poor authentication practices or poor network design facilitate a successful attack?
Users weren't hired to be security professionals, you were
The user base you are trying to protect was not hired to be security professionals, just like you weren't hired to do their job. Let's say that you work in a hospital and you're trying to get doctors and nurses to be more diligent about the email and phone calls they receive. They are trying to keep people healthy, save lives, do triage when people are under physical and mental duress.
Let me ask you this...could you take a look at this picture and tell me what's going on?
I'm sure there are some of you who could...kudos because you are more medically inclined than I am. When I've done this exercise with security professionals, I always hear that they could not interpret an x-ray image, unless it was something exceedingly obvious. Why then do we hold our physicians and nurses to a different standard than we have for ourselves?
What about executive assistants, trying to get through as many inbound requests for their bosses time, prioritize things accordingly, and make things easier for the executives they support. What about sales and business development teams are interacting with customers and prospects, exchanging contracts trying to produce revenue for their organization?
These are all real roles in organizations with real challenges, none of which typically have an element of security woven into their performance measures, their bonus or compensation structure, or their general job responsibilities. Yet, the security community frequently finds itself at odds with these types of roles based on their susceptibility to phishing attacks.
Circling back to my original question; why?
Asking the right questions
Any time that an attack occurs, especially one that is successful, I believe that it is essential for us to figure out why that was able to happen. What was it about a process, a system, technology, etc. that enabled that attack to start and then spread? Was there a missing control, was there too little segmentation, was it possible to spoof emails, what was it?
Instead of jumping the gun to blame and punish our users, we should actively seek out ways to decrease the things our user base needs to think about and if an attack still sneaks through, how to lessen the impact.
You're probably thinking that I'm anti-training if you're still reading at this point. That's not true; I think training has its place, but we should be focusing on the 20% of things that produce 80% of the results. We should be giving our users a particular set of security skills and mindset instead of trying to get them to think just like us. We need to make their jobs easier. That is how I believe we will be able to make a dent in the social engineering epidemic that we face today.
Lead with empathy
I will end this post on this note, it's important in this situations to approach your users with empathy. Empathy towards the job they are in, the pressures they're under, the deadlines they have, the understanding of the technology they operate with. By putting yourself in their shoes it will become easier to see why things need to be simpler and why the security community needs to find ways to get in front of the threats we face instead of pushing the blame off to a user who falls for a phishing attack.