Safety training: moving from Nick Burns to better communication


Twenty years ago, Saturday Night Live nailed a tendency in computing to be too absorbed in technical language and to do a poor job of educating users. The Nick Burns: Your Company’s IT Specialist skits showed rude IT people belittling users as they solved their “dumb” problems.

Recent experience has shown that security awareness training and most user warnings about unsafe practices can make the mistake of being too general.

An alert came in one morning about a security alert generated by my device. It had no data on what I did, what email or website, or when it happened. Just a generic “caution” and “don’t do it again”.

I wanted to get to the bottom of things. I’ve been writing about phishing scams, advising users not to click on suspicious attachments or links, and covering cybersecurity in general for years. I was intrigued. What had I done exactly? How did the wicked deceive me? Or was there a new angle to all of this that I needed to know?

I had a few round trips with a company IT specialist to clarify this. I finally managed to get this “enlightening” explanation:

“We observed a suspicious zip file which, during sandboxing, observed an execution spawning wscript.exe and querying HTTP requests reaching the malicious URL d6d99bf2[.]application[.]pgica[.]org and IP 176[.]ten[.]124[.]180 to download additional malware and removes itself after installation. SocGholish (aka Fake Updates) is JavaScript-based malware that masquerades as a legitimate browser update delivered to victims via compromised websites. SocGholish establishes an initial hold on victim networks which hackers use to target further with additional malware or even ransomware. Here, in our case, we observe a fake Edge.js, which is apparently a malicious .js. No active connection was observed with the IOC in DV. »

It didn’t help. I asked for more information about the origin of the zip file and how it was triggered. Despite many emails, I still don’t really know how it happened.

IT just treated me like another stupid user and told me to be more careful in the future. Bottom line: I learned nothing from the experience.

Check out the winners of eSecurity Planet’s 2022 Cybersecurity Product Awards

Echoes of the year 2000

It reminded me of an earlier experience during the Y2K scare in the late 90s. The media went into a frenzy over the possibility that as soon as the clock struck midnight on New Years Eve 1999, the world would end because all the computers would shut down. Why? Their clocks were set to two digits. A panic swept through IT as everyone rushed to fix the Y2K bug.

I was wondering if I might be impacted, so I bought some software from Symantec to check it out. The program did an analysis and gave me a list of hundreds of “possible problems” written in technical jargon. In other words, it hasn’t reduced to anything like, upgrading your Bios or providing any other tangible item to deal with. I tore up the list, ignored Y2K from then on, and lived to tell the tale.

Here we are over two decades later, and it seems that IT still can’t get its act together by offering sensible, target-directed user direction that is understandable and actionable.

My takeaways from the experience?

  • Some in IT are poorly suited to help users understand security-specific information.
  • Lack of detail in alerts can lead users to repeat faulty behavior.
  • Security awareness training should incorporate personalized alerts and personalized training or education to help users become more aware.

Upcoming Security Awareness Training Enhancements

“As part of security awareness training, users receive short monthly reinforcement training modules of a few minutes as well as monthly simulated social engineering test emails,” said Stu Sjouwerman, CEO of KnowBe4. “While covering the fundamentals and general things to watch out for is essential, the next step is to monitor what the employee is doing in real time.”

The good news is that such abilities are in the works. KnowBe4, for example, previewed at the Black Hat USA conference a new product known as SecurityCoachwhich will be integrated into its suite of security awareness training tools.

SecurityCoach tracks risky user behavior, such as plugging in a USB drive, clicking on a malicious attachment, or accessing a compromised website. The user immediately receives an alert specifying how this policy has been violated as well as a 30-second video security tip to explain the risk posed by this behavior. These messages can be sent via Teams, Slack or email.

“You can’t throw 15 technical terms at users that only IT and security specialists will understand,” Sjouwerman said. “Safety advice should be extremely user-friendly and non-technical.”

It’s a good start. I hope the next time I get a security alert, I can actually find out when I accidentally clicked, what, and what risk it posed.

Read next: Best cybersecurity awareness training for employees


About Author

Comments are closed.