Your enterprise’s data is at risk. Your own employees may be pawns in the next threat from a highly skilled hactivist, criminal or nation state. How are they equipped?
For several years now, the majority of digital attacks attempt to exploit the human factor through phishing attempts and related efforts. According to our Secureworks® 2018 Incident Response Insights Report, 42% of attackers gain entry from successful phishing scams, reinforcing the need for ongoing employee education. Malicious hackers and attackers seek to trick users into granting them access to a digital resource, long before they will try to hack their way in. Simply put: People are the weakest link in any organization’s cybersecurity defenses. And that’s why people are usually the first targets of cyber attackers who use tactics and tools such as ransomware, spear phishing, malware and social engineering.
In this article from security awareness training provider KnowBe4, the author explains why humans pose an even higher risk than software flaws and vulnerabilities. Thousands of people are easier to exploit at scale than finding a single software vulnerability to breach an enterprise business. People are also easier to compromise, especially if they lack proper training in the basics of network security best practices.
Even amid the recent rash of robots capable of opening doors and jumping onto rooftops, organizations rely on people as their primary resource for conducting business and interacting with customers. Of course, simple, repetitive tasks can be automated. But people will always be behind every automated task and on the other end of every phone call, email and chat session. And people represent the “human factor” in the crosshairs of cyber attackers. The only defense against such attacks is education — or in industry terms, “Security Awareness Training” — and falls squarely under the aegis of cybersecurity training.
Because of the rapidly changing environment and long list of vulnerabilities, security awareness training also cannot involve a one-shot approach or a “set it and forget it” program. Rather, in order to ensure the network security of any organization, cybersecurity training must be repetitive, updated and constantly tested.
Security Awareness Training starts with the organization’s acknowledgement that their employees are the weakest cybersecurity link. Conversely, they’re also the first line of defense against cyber attacks. Security Awareness Training provides every employee with a fundamental understanding that there are imminent and ongoing cyber threats, preparing enterprise employees for common cyber attacks and threats.
Security Awareness Training generally consists of repetitive training and ongoing, sometimes random, testing in the following areas of exploitation. The most prevalent IT security threats (and thus the most up-to-date cybersecurity training) include:
- Spam. Not limited to direct email, spam is now one of the main methods of attack via social media. When someone “invites” you to connect on LinkedIn, for example, that invitation may arrive in your email, but its effectiveness is directly related to your trust of various social media sites. Cyber criminals can even embed password-stealing malware from a simple LinkedIn invitation.
- Phishing. Phishing is a common practice whereby hackers go after a broad target of users with emails that look genuine, but are actually intended to lead the uneducated user to click on dangerous links — possibly divulging usernames, passwords, personally identifiable information, even financial information. Phishing is akin to throwing out a wide net full of bait and pulling in whatever you catch.
- Spear phishing. While phishing schemes cast a wide net, spear phishing takes a highly targeted approach to attacking specific individuals. The most infamous spear phishing attack in recent history was on John Podesta, then-chairman of the Hillary Clinton presidential campaign. Spear phishing attacks target high-profile individuals or people with access to valuable digital assets. The email usually hand crafted, and uses all available information to make the email read exactly like an actual email from a friend or colleague.
- Malware. Short for “malicious software”, malware refers to any type of software designed to cause harm to a device such as viruses, rootkits, spyware, worms and Trojan horses. Advanced Malware has a specific target and mission typically aimed at an organization or enterprise. In 2017, the malware program known as WannaCry spread throughout the world, crippling hundreds of organizations.
- Ransomware. Similar to malware, ransomware is used by attackers to extort money (or possibly other resources) from the target organization. In June 2017 NotPetya infected accounting software prevalent in the Ukraine. It encrypts files on the drive, requests $300 in bitcoin, attempts to steal credentials in the memory and attempts to propagate through the network using stolen credentials or exploits.
- Social engineering. This practice is simpler than it sounds. If you’ve seen the movie Catch Me If You Can, you’ve witnessed one highly effective example of social engineering. Tripwire assessed the most prevalent types of social-engineering attacks in 2015, at its core, social engineering occurs when one person fools another into giving up access to a resource. Social engineers use a variety of tools and resources to gain access to targeted resources, but the one-on-one direct attack remains the same.
The following two articles spell out the most important practices for security awareness training in corporate America today.
- Wombat Security – Security Awareness Training: Best Practices to Consider
- Infosec Institute – The Components of a Successful Security Awareness Program
The two articles overlap to a certain extent; however, each offers a unique strategy to create a culture of security within an organization. These cybersecurity best practices include:
- Complying with all local and federal laws and regulations
- Getting everyone on board — the entire organization, all or nothing
- Establishing a required baseline of assessment
- Creating a system of very clear communication about the program
- Making the training intriguing and at least a bit entertaining
- Enforcing, reviewing and repeating. No “set it and forget it” or “one and done”
- Creating a culture of reinforcement and motivation for constant vigilance and learning
These seven points might be used as something of a template or starting point for developing your organization’s security awareness education program. Every organization’s individual needs are unique; however, the goals for any security awareness training program are usually quite similar.
The reasons behind developing your own security awareness program for employees are best understood in the simplest of terms: security. If your organization holds or has access to sensitive data, then the security of that data is paramount to your organization’s success and future. And because people are the most common target of hackers, it is essential for employees to have proper training to recognize the threats to the organization. That’s the reason for creating, growing and maintaining a solid security awareness training program for your employees.
The goals and objectives will — or should — serve to uphold the reason for creating the program. It is at this point that your goals and objectives for your organizational program will be unique to your organization. The ultimate goal should be 100% awareness of every threat that exists to your organization’s electronic data and computer network. But you have to start somewhere, with that goal in mind at all times.
In the beginning, the goals should be simple: creation, delivery and evaluation. Over time, the ongoing quarterly and annual goals of the program will become increasingly directly tied to the frequency and severity of actual incidents that occur within the organization. Criminal cyber hackers are constantly seeking new methods to exploit the weaknesses in any organization, and your security awareness program will often be reacting to the latest successful exploit within your industry or market space.
The steps below can serve as a general roadmap for starting your organization’s unique security awareness training program.
- Identify your organization’s security requirements as they apply to individual employees.
- Determine how best to deliver the training, e.g., in person, video, online, hands-on, etc.
- Create the appropriate content for the desired training medium. This content is the training curriculum, to be delivered by a respected security professional within the organization. Material can range from free security awareness training posters, email phish testing software that train and evaluate employees, to on-site training presentations and testing.
- Set expectations for all employees as to the requirements, timing, delivery, method and expected results.
- Schedule multiple training sessions according to general availability of the organization’s employees, with the understanding that every employee has different daily priorities and that exigent circumstances happen in people’s lives.
- Deliver the training according to the expectations set prior to and during scheduling.
- Capture feedback on the training itself from as many employees as possible.
- Conduct post-training assessments of all employees to determine how effective the training was.
- Re-evaluate the training and training medium for effectiveness, and adapt accordingly. Security training is not a “set it and forget it” approach. Both the curriculum and employees must be updated constantly and regularly.
- Correlate the implementation of training with the frequency of security-related incidents to determine the practical impact on the organization’s security health.
It’s important for employees to have a positive experience for such a requirement. Otherwise, the training will be seen as a necessary evil instead of a vital means of protecting the organization’s brand and health.
Pretend that all of the organization’s data security protocols are open to the public because the people who have direct access to the data are not properly trained in data security. If your employees don’t know how to assess security risks and determine potentially dangerous traps, your company could be in serious trouble.
That’s why it’s very difficult to predict or produce a reliable ROI on such training. And unless the organization has the actual data to back up such a claim, it would be erroneous to assume that, just because training exists, the organization cannot and will not be compromised. As security awareness training is implemented and evaluated, over time, it’s possible to draw a correlation between effective training and reduced security-related incidents.
Ivan Dimov of the Infosec Institute gathered these insightful statistics on effectiveness of security awareness training from a variety of sources:
- 50% of internet users receive at least one phishing email daily, 97% of people cannot identify a phishing email, and 4% of people actually click them.
- 42% of respondents to a US State of Cybercrime Survey asserted that security awareness training of new employees helped to deter attacks.
- The same report indicated companies without security awareness training for employees suffered 322% higher financial loss due to cybersecurity.
Unlike ROI, effectiveness of security awareness training can be measured in a straight forward way. Use security awareness training software that provides testing, such as Wombat. A monthly 15 minute training session can be followed up with simulated phishing email throughout the month. The phish testing software should provide performance reports so that you can measure improvements in employee behavior as training progresses.
// Drop us a line! We are here to answer your questions 24/7