Stu Sjouwerman, founder and chief executive of KnowBe4 runs a course aimed at protecting organizations from security breaches initiated from end-users. Sjouwerman believes that training is one way companies can build a strategy of defense in depth.
As reported by InfoWorld, part of the training material has well-known former hacker Kevin Mitnick demonstrating the threat of various innocuous activities that phishers would like users to execute, such as opening certain documents and clicking on a URL.
“All organizations should take the defense-in-depth concept serious, and especially pay attention to the outer layer: policies, procedures, and awareness,” Sjouwerman told InfoWorld.
The company essentially starts with a baseline “Phishing Security Test” where users in an organization are sent phishing emails, and results of the number of users who clicked on the links are collated as a benchmark. Users are then sent for training, after which administrators will send out various fake phishing tests to ascertain the return on investment and determine whether users need more training.
While I agree that some security training makes sense, not everyone agrees that more training is the way to go. You can read more about this alternative point of view in today’s editorial.