When Basic Security Training MIGHT Be Enough
When there are people who still open attachments willy-nilly, who click on links with reckless abandon and who let their guard down even though legitimate-looking emails can potentially be fraudulent, companies need to do all they can to ensure that workers are cybersecurity aware.
According to previous research from Trend Micro, some 91% of cyberattacks originated with a spear-phishing email – a type of phishing attempt where bad actors target a certain company in a bid to obtain confidential information. The successful misappropriation of confidential data is really just the beginning of woes since the obtained information can then used to gain access to the targeted company’s network – and this can ultimately lead to a targeted attack.
So with this in mind, is there ever a situation where basic security training might be enough? If the opinions of the experts that InfoSec Institute recently spoke to are any indication, the answer is pretty clear.
Jeff Reich, chief security officer at Barricade, says that his general answer to the aforementioned question is, “No.” After all, there’s a lot at stake, and a look at some of the companies that have fallen victim to cyberattacks shows that workers need the right skills to avoid getting reeled in.
“The reason I think there’s a big gap is the people who feel that security isn’t their job say, ‘Hey we have security people. They should be taking care of this,'” he says. “And the security people say, ‘Well I have all these tools and the stupid users often get in the way.’ So awareness doesn’t make users not stupid. In my opinion, most of them are not stupid. I’m sure there are some, but most are not stupid.”
Experts like Reich and Cyber 360 President Mark Aiello stress that companies need to take security awareness training seriously so that all staff have the awareness and the skillset needed to make the right decisions when they encounter the phisher’s bait. And fortunately there are tools available that businesses can use to find out which workers might need more instruction.
‘Year of Mega Breaches’
Earlier this year, Ponemon Institute referred to 2014 as a year of mega breaches. Beginning with the Target attack late in 2013 and concluding with the debacle at Sony Pictures, 2014 provided some eye-opening examples of what can happen when cybersecurity awareness isn’t up to snuff.
Ponemen’s 2014: A Year of Mega Breaches study, sponsored by Identity Finder, reveals measures that business are implementing to strengthen their security strategies. Not surprisingly, 60% of respondents note that they are conducting training and awareness programs.
Everyone will be a Target at Some Point
According to Aiello, people need to realize and to accept that everyone will at some point be a target.
“In some cases you’re a target every single day,” he says. “I look at the statistics of the hits we get on our website. All of our work is in the domestic U.S., and I am amazed at how many different countries hit our website every single day. I find utterly amazing. There’s no reason for Russia or the Ukraine or China to be hitting my site, but they hit our website every single day. I don’t think they’re just curious about who we are and what we do. I think the name of our company means something, and they’re [looking] around to see if there’s anything out there that’s valuable to them.”
Once people understand that they will eventually become a target, they need to apply not only common sense, but also a significant level of skepticism when they receive emails.
“If you don’t know who it’s from, then don’t click on it, don’t download it,” says Aiello. “Only click on the link if you know that this is coming to you and you know the sender. And knowing the sender is not always safe because they’ll spoof who the sender is and you’ll think that it’s a trusted source and then you click and you learn the hard way that it isn’t.”
[download]Download the BEST PRACTICES FOR DEVELOPING AN ENGAGING SECURITY AWARENESS PROGRAM whitepaper[/download]
He adds that he has a system in place to avoid falling prey to spoofed emails. Whenever he unexpectedly receives messages containing attachments and/or links from the email addresses of people he knows, he reaches out to the supposed sender in order to verify whether or not the emails are legitimate.
Knowing How Much Training to Provide
While Reich says that training should depend on the job title and the background of the employee rather than on whether or not people are prone to clicking on links, Aiello notes that it makes sense for employers to know which workers have a tendency to, for instance, indiscriminately click on links — so that those workers can be given more training
One way that companies can get a feel for which employees are susceptible to taking the bait dangled by phishers is a solution developed by PhishMe, says Aiello.
PhishMe has developed a phishing threat management solution that:
- Prepares employees to be more resilient and vigilant against targeted cyberattacks
- Empowers employees to quickly report suspicious emails to the internal security teams
- Provides incident responders with the ability to effectively prioritize, analyze and act on suspect-email reports detected by users — producing actionable intelligence that can be integrated with and employed by an organization’s existing security infrastructure and analytics capabilities.
“Curiosity is a human weakness,” adds Aiello. “It doesn’t matter if you’re four years old or 85 years old, and it doesn’t matter what your role is within an organization. People are curious. Everyone is susceptible to that. It’s a human weakness. It happens to all of us. Sometimes we click on something we shouldn’t.”
The Smarter the Company…
Gaining awareness about the problem is one thing, having the skillset needed to combat the problem is another. Reich says that workers who understand the tools they use, the inherent vulnerabilities of these solutions and the value of the information that they’re accessing won’t need as many tools as workers who have awareness but who lack knowledge.
“They need more tools and maybe better fences,” he says. “So the smarter a company is, the fewer security tools you need, which means your security budget should be smaller. So where would you rather make your investment – a smart company or more security tools? Awareness doesn’t get you to smart – it only opens the door.”
Pulling Out All the Stops
With so much at stake in the battle to safeguard corporate networks, the last thing companies should be thinking about is providing just a minimum of security training.
Phishers pull out all the stops to achieve their objectives, so companies should be just as diligent in ensuring that workers are equipped with the skills they need to avoid getting reeled in.