was asked a really interesting question in an interview yesterday: given a budget, which areas of security spending produce the greatest and worst (or negative) ROI?
my answer:
positive: SSO/OAuth, hardware keys
worst: DAST, DLP, honorable mention to poorly configured IDS’s
what’s your answer?
=> More informations about this toot | More toots from april@macaw.social
@april positive : yearly security training, SAST, SCA, patching
worst: random phishing "tests”
Of course, in order to get a lot of those positives, you need proper policies with enforcement. SAST/SCA can be a huge plus, but only if their use is enforced.
=> More informations about this toot | More toots from XenoPhage@infosec.exchange
@XenoPhage
@april
That's odd. I haven't been on the IT/cybersecurity career path for over a decade now, but as a user with SOME background in the field, I thought the phishing tests at my company have been very good outreach to users about taking security threats seriously.
I'm guessing our disagreement stems from a difference in perspective, so I'm curious to hear more about your thoughts on the practice.
I do know that a couple of my phishing attempt reports have gotten exasperated "This is official communication from our company..." in response, to which my obvious retort is "Then why does our official communication look so much like phishing?"
=> More informations about this toot | More toots from squeakyears@meow.social
@squeakyears @XenoPhage @april
You can train people to be good at the game of "spotting emails from our training partner", but in my experience that doesn't translate very well into real-life situations.
If you are interested in the literature, check these:
Benjamin Reinheimer et al., An investigation of phishing awareness and education over time: When and how to best remind users, 2020
Daniele Lain et al., Phishing in Organizations: Findings from a Large-Scale and Long-Term Study, 2021
=> More informations about this toot | More toots from weddige@gruene.social
@squeakyears @XenoPhage @april in summary: most people forget really quick (repeat every 4-6 month), some people never learn and the exercises have even negative side-effects.
My recommendation: basic security awareness ("bad people exist"), crowd-sourcing the phishing detection (a report phishing button and someone who reacts to the reports quickly) and every technical way that helps that your users don't even have to deal with phishing themselves.
=> More informations about this toot | More toots from weddige@gruene.social
@weddige @squeakyears @april Yes, totally agree here.
=> More informations about this toot | More toots from XenoPhage@infosec.exchange
text/geminiThis content has been proxied by September (ba2dc).