Your own employees could be your IT security’s downfall, and education might be the solution.
When it comes to security, the long-standing saying that education is the great equaliser often tends to be put on the back burner. Organisations focus on technology rather than addressing a common root cause—people. While security issues cannot be addressed without technology, organisations also need to consider how education can address the people problem.
There are multiple aspects to the people problem. First, end users are easy targets with common attacks using the browser or email to dupe victims; attackers compromise their systems and gain access to corporate networks and digital assets using techniques such as malvertising attacks, which infect victims in the course of their normal Internet browsing without necessarily even clicking on the advertisement. In fact, according to Cisco’s 2015 Annual Security Report, the volume of malvertising has increased sharply over the past few years. In 2015, the volume increased by 250 per cent.
They also send spam emails incorporating social engineering techniques so that they appear to be sent by well-known companies or other trusted sources but contain links to malicious sites, as well as utilise third party applications laced with malware and downloaded from popular online marketplaces.
Secondly, users often ignore strange behaviour on their machines because getting IT involved is an inconvenience and disruption to work. Endless browser pops, inability to visit certain websites, or anti-virus software that won’t run or update are all possible indicators of compromise. When faced with a corporate PC being fixed sometimes users will use “shadow IT” systems like personal email accounts, cloud applications and storage, USB drives and mobile devices, often disregarding corporate policy to “get their job done.” The net result is that users either delay responding to warning signs, or default to insecure systems when secure ones are not available.
The third aspect relates to the actual defenders. It is widely acknowledged that the Australian IT industry is faced with a serious talent shortage, with the number of cyber security jobs in the country far exceeding the number of skilled professionals. Consequently, many organisations struggle to attract and retain enough skilled cyber security professionals to maintain a strong security posture and keep up with rapidly developing and evolving threats. To address these weak links we need to consider training at all levels and across the organisation. This can also be done in three steps.
It first starts with continuously educating users on safe habits to ensure they know how to recognise and discard potential malware. Users must also understand when and how to inform the organisation of any suspicious occurrences so future attempts can be minimised and/or blocked. Raising awareness and offering simple suggestions such as hovering over a link without clicking to view the intended URL or not opening attachments you didn’t request, as well as empowering them with access to channels and processes designed to ensure timely assistance when something is wrong can go a long way in the fight against cyber attacks.
Many organisations routinely send fake phishing emails to users and monitor who responds, then train those users on how to identify email scams. These campaigns can be indiscriminate or targeted to certain classes of high-risk users like IT administrators, executive assistants with delegated rights for senior executives, or code developers. It is interesting to note that click rates on scam emails can be very difficult to lower—in fact, many organisations struggle to lower the click rate to less than 12 to 14 per cent.
Ultimately, user awareness and training is a cost-effective mitigation strategy, but is not a silver bullet. Users remain a prime vector of attacks and will open emails, click links, and visit websites they shouldn’t. This is reality and organisations need to have business-as-usual security capabilities to rapidly scope, contain, and remediate successful attacks. Sadly, operational security has traditionally received less attention and funding relative to new technology. Security assessments reveal that the root cause of many security problems is a lack of operational maturity or capabilities that lead to weak or non-existent security controls. Operationalising security involves continually improving practices based on a holistic view of risks.
Making security a highly standardised and measured business process can improve security operations maturity. This requires security and business leaders understand how to engage in productive dialog to continuously assess and take action. However, there is a tendency for business units to view security as solely an IT problem. One technique for changing such mindsets is for business units to have their own security function and staff that share reporting lines with IT security in a hybrid model. This way, IT security resources are deployed in ways that avoid unacceptable risk and translate into business value.
Organisations must also be committed to keeping IT security staff highly trained on the current threat landscape and advanced approaches to security. Not only does this help increase security effectiveness, but it also helps engage and retain cyber security talent. Ongoing professional development with a specific focus on being able to identify an incident, know how to classify it and how to contain and eliminate it will help keep security teams aware of the latest techniques used by attackers to disguise threats, exfiltrate data, and establish beachheads for future attacks.
There are many different types of weak links in the systems and processes we use. Fortunately, there are also many different things we can do to reduce their number and effects. Rather than instinctively turning to technology first and foremost as the great equaliser, we must remember that security is a people problem and look to education as well. By doing so, organisations are in a much better position to lower risk and unlock the value in their technology investments at the same time.
