Kevin Beaumont
The cyber awareness industry - phishing simulators and such - is almost all complete garbage, just so y'all know.
If you look at your proxy logs, you'll quickly discover you've got entire departments whose job involves opening links and documents from people unknown (also almost every manager does it, when reviewing CVs etc).
If your security depends on nobody clicking a bad link, security and IT fucked up their jobs, and awareness training is just a sticking plaster on your own poor choices.
Lesley Carhart :unverified:
@GossiTheDog it was a good general idea that went horribly wrong, just beyond the pale in practice
Lesley Carhart :unverified:
@GossiTheDog I have had clients that just blanket fire anyone who clicks. Doesn’t matter their tenure or role.
Richard Stocks
@GossiTheDog @hacks4pancakes One of the most interesting talks I’ve seen in recent years was about how an org had applied their overall culture of zero blame in safety incidents to security as well.
Just as the driver for safety is to use incidents as a learning exercise, taking the same approach with security incidents led to an environment where people felt safe to report mistakes, knowing that they wouldn’t be reprimanded or suffer any consequences.
Result?
Everyone feels comfortable to report even issues proactively, which has put the response teams on the front foot and measurably improved their overall security posture.
They also scrapped the fake phishing campaigns, which were felt to be creating a feeling of “they’re always trying to trick us or catch us out.”
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.