# The answer is (sic) to not trust humans in the first place.



## Phishfry (Nov 25, 2017)

Some good cyber security advice.
https://hbr.org/2017/11/more-training-wont-reduce-your-cyber-risk


----------



## ShelLuser (Nov 25, 2017)

Those trainings serve only one goal: creating more revenue for the people who hold those trainings.

Worse yet: they (generally speaking) only cover very broad topics. If people already have issues trying to understand these topics, then how on earth are they going to relate the topics mentioned in the training to the things they normally do at work?

Most of all I believe that these kinds of instructions should be a job for the IT department. Because in a normal situation the IT department should be well aware about the way things work and go.


----------



## Phishfry (Nov 25, 2017)

I do like the military response to clicking. Plain text emails.

Not sure about those facebook things or even Google backend for email security recommendations.

All this cloud reliance is unwise.


----------



## ronaldlees (Nov 25, 2017)

Phishfry said:


> All this cloud reliance is unwise.



+++!


----------



## tingo (Nov 26, 2017)

Security needs both belts and braces, not just one or the other. And you must keep up every day, you can't just spend some money ever few months and figure your are covered for that period.

But training / raising awareness helps, if done the right way. Just giving people courses (or videos to watch) without checking what they have learned afterwards isn't the right way.


----------



## aragats (Nov 26, 2017)

Phishfry said:


> I do like the military response to clicking. Plain text emails.


The problem is that many email clients *create* actual links out of the textual strings starting with _http(s)_ or even _www_.


----------



## Phishfry (Nov 27, 2017)

You should file a PR about that.
It sounds like a serious security defect.
Just Kidding. I know you have to deal with the PHB.


----------



## aragats (Nov 27, 2017)

Phishfry said:


> You should file a PR about that.
> It sounds like a serious security defect.
> Just Kidding.


Actually, no kidding, you're right, they should provide such an option.
For example, Thunderbird already has _Display->Plain Text Messages->Display emoticons as graphics_.
So, that will be another option in the same section of preferences.


----------



## Phishfry (Nov 27, 2017)

tingo said:


> But training / raising awareness helps, if done the right way. Just giving people courses (or videos to watch) without checking what they have learned afterwards isn't the right way.


The place I work at has been sued for Racial Discrimination and Sexual Harassment several times over the last few years and every time after they settle we get e-mail and texting training. Plus they make us sign threatening forms about computer usage.

You really can't train someone to not be a racist or harasser. So the question remains why don't they just get rid of the people instead of training.
Same with habitual phish clickers. You can only train a person so much... Humans have our defects.


----------



## Phishfry (Nov 29, 2017)

What blows my mind is intelligence agencies are using the cloud.
https://www.cnet.com/news/nsa-breach-spills-over-100gb-of-top-secret-data/

_*"It's stuff used to target people for death, and it was all available in a URL."*_


----------



## aht0 (Nov 29, 2017)

They have a need, budgets and their own beancounters I assume. So they compromise and it blows back into their faces.


----------

