Security Awareness Training Should Be a Top Priority for Every Organization
People Can Be Your Weakest Link or Your Best Defense
If someone says “social engineering”, you may think of something that an event planner would be doing when organizing a gathering or a marketer utilizing the science of gamification to increase loyalty of a brand through social media outlets or product websites. The reality is that it is no game at all, unless you are a cyber criminal looking to exploit one of the most vulnerable attack vectors of an organization: people.
Security is a combination of people, processes, and technology—and while they work in concert to protect an organization’s intellectual property, sensitive personally identifiable information, or finances, the people component has proven to be one of the weakest links in an organization’s security posture. The US Department of Homeland Security insists that securing the workplace is everyone’s responsibility. Adhering to acceptable use policies; following security policies established by administrators, such as password management; and not using non-sanctioned and non-sanitized USB drives are but a few things that employees can do to participate in the security of their work environment.
The COVID-19 pandemic has turned the cyber world into the wild west, praying on the vulnerabilities of fallible humans. The FBI indicates that cyber-crime is up as mush as 300% and phishing kits sold on the dark web are up as high as 62%. Yes, I said “kits.” Hacking has gone wholesale folks. I learned at a security conference session that on that darkest of webs exist brokers who sell ransomware as a service (RaaS). Hand over the bitcoin and they do the rest. A Palo Alto Networks research team found that more than 86,600 domains of the 1.2 million newly registered domain names were registered containing keywords related to the COVID-19 pandemic from March 9, 2020 to April 26, 2020.
So where does this leave us? The innocent knowledge worker at thousands of organizations of all sizes and industries is in a state of vulnerability, that’s where. Especially in the age of distributed workforces with people working from offices and at home.
The 2020 Verizon Data Breach Investigative Report (DBIR) indicates that social actions arrived via email 96% of the time and, of those actions, 90% were phishing attacks. So what is phishing? Phishing is just one a whole family of social engineering tactics that includes smishing (SMS text), whaling (targeting executives), spear phishing (targeting a trusted source), vishing (phone scams), as well as business email compromise ( hi-jacks the corporate email account to defraud the company and its customers). Most of you probably see phishing emails every day in your personal and even company inboxes telling you that your account security needs attention, or that you must log into a website to download a security update. I get emails from banks that I do not affiliate with, prompts to download my receipt from a purchase I never made—the list goes on and on.
So what can business leaders do to create a workplace culture that minimizes risk?
Training, education, and more training. People don’t know what they don’t know. Security awareness training is not a one and done strategy. It requires computer-based simulation campaigns and constant reminders in the ways of posters, testing, and gamification with rewarding astute workers. The content should be refreshed constantly with the different types of false mediums (web pages, social media pages, emails, etc.) so that complacency does not set in.
These campaigns are designed to be examples of real-world scenarios where the participant reactions can and must be measured. There are several ISVs that market social engineering training platforms (some better than others). They are typically subscription SaaS based models and some even will design, execute, and measure the campaigns for you. This is especially popular with SMBs who may not have the resources to administrate the DIY versions.
Bottom line: develop a “no click” policy. Teach employees what to look for, to verify, and then trust. It can be as simple as picking up the phone and asking the sender if they did indeed send them an important attachment, or even just the email. Some of the biggest data breaches in our recent history were the result of someone falling for a phishing campaign (the US Power Grid, Sony Pictures, Target, J.P. Morgan Chase, and many more).
So whether you are a manufacturer, service provider, healthcare institution, school, or any other type of organization, investing in educating your people about social engineering can make the difference in minimizing your exposure to fraud and maleficence or falling prey to a catastrophic security breach.