Author: Stephen Gates, Chief Research Intelligence Analyst, NSFOCUS
In my travels around the globe, I am often asked what strides an organisation should take in order to measurably reduce their exposure to cyber threat actors, and their relentless cyber-attacks. Deploying the right security technologies obviously makes good sense. However, no matter how much security technology you deploy, it will never completely replace good common sense. Most cyber-attacks that result in data theft involve the human element, and the dreaded “click”. That is, the act of an employee being fooled by a phishing E-mail and “clicking” a link or attachment that installs malicious software without detection. Reducing this single liability would serve to improve anyone’s defensive posture. Here are my recommendations on how to solve this problem.
Implement Attack Awareness Training for All Employees
Begin with deep-dive training on how cyber-attacks work. Few employees, if any, actually understand the difference between a virus, worm, Trojan, exploit, vulnerability, phishing, smishing, drive by, malvertising, adware, spyware, and ransomware attacks. Educating employees about how cyber-attacks work builds awareness to the constant risk they face from cyber threat actors. If the training is done right, using real-world examples and hands-on scenarios, the likely results would be better educated employees and team building as well. Two benefits for the price of one.
Second, include training on the motivations and tactics attackers utilise and what they are likely to target. Most attackers are motivated by money and understand that gaining access to sensitive data is often like hitting the mother lode. Employees need to recognise the value of sensitive data and understand that it must be protected at all costs. One simple click is all that is needed to compromise a system, gain access, and move laterally in an organisation. Your click may have opened up the passageway for entry into your network. Employees are often the catalyst that results in a data breach.
Implement a No-Punishment Policy
Many cyber-attacks go unnoticed because employees are less than motivated to report suspicious activity on their computers, accounts, and data. Often an employee clicks, something strange happens on their computer, and they’re afraid to report it due to a host of different reasons. Fear of feeling imprudent, the backlash of public ridicule, the violation of Internet usage policies, and other negative outcomes thwarts the sharing of important intelligence. Institute policies that actually reward employees for coming forward, reporting questionable activity, grabbing screen shots, and sharing the steps that were taken during a suspected hack. This valuable intelligence will help security and forensics teams in their investigations as well as limit the potential damage of the hack.
Monitoring Your Results
Monitoring employees does not often provide the intended result. People try to enforce policies, but they end up looking like the computer police. No one likes to be monitored while online. Instead, set up a test “attack process” with different scenarios. Phish your own employees to see if they’ll click. Tell them ahead of time to expect an attack, and remedial training will be required if they fall for one. If they don’t fall for it, and report the attempt appropriately, publicly reward them for being prudent. Soon you will have employees that are part of the solution, and no longer part of the problem.
