We are now more than halfway through the year, and what a crazy half it has been, both in terms of the global pandemic but also when you consider the volatile climate that the cybersecurity industry finds itself in.
We wanted to find out what trends had been seen, how organisations should go about ensuring security is being kept as a priority, the impact Covid-19 will have and the importance of having a strong security culture during this time of uncertainty. To help us answer these questions, we were joined by KnowBe4’s security awareness evangelists. KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform so they are best placed to give the necessary insight into the phishing trends which was where we started the Tweet Chat…the evangelists were certainly happy and eager to get started…
Current mood #AskKB4 https://t.co/lQk3tRfxp7 pic.twitter.com/27dNcNccMT
— Javvad Malik v2.0 (@J4vv4D) July 29, 2020
Noticeable trends and surprise tactics used by Hackers
A1: Ransomware, Data breaches have held steady. With the recent ShinyHunter data leaks due to phishing attacks. Phishing will not go away until more organizations provide training and this attack vector is no longer successful for the cybercriminals #AskKB4 #phishing https://t.co/fQL4mL11jJ
— James (@James_McQuiggan) July 29, 2020
Nearly every trend has been linked to the 'rona. The impromptu "digital transformation", wfh, attacks against home workers and home infrastructure, lots of misinformation. #AskKB4 https://t.co/WA4w1HKhaa
— Javvad Malik v2.0 (@J4vv4D) July 29, 2020
A2: I thought the android ransomware being spread as a Canadian COVID tracing app was interesting. The Canadian govt said they were making one and scammers fired up pages that looked legit and took advantage. Clever #AskKB4 https://t.co/MGDS5vdYv0 pic.twitter.com/kvo8LbbkNs
— Madsqu1rrel (@ErichKron) July 29, 2020
A2 Not a particular scam.. but I do notice the bad guys becoming more bold and blatant in their approach. And they don't really need to be inventive (unfortunately). BEC type scams, for instance, have been around for ages and are still the same #askkb4 https://t.co/QIrREaNmBn
— JellySandwich (@JelleWieringa) July 29, 2020
Will we see a rise in DeepFakes?
We then moved onto the impact the pandemic will have given that face-to-face contact will be limited for the time being and how criminals will leverage this for their own nefarious means…
A3a: #Deepfake attacks are still developing and take too much time and effort to be used in a commodity types of attacks, only high-value targets. Frankly those are still easier to get without all the deepfakery right now #AskKB4 https://t.co/PDlmy1qXDh
— Madsqu1rrel (@ErichKron) July 29, 2020
A3b: To avoid being impacted, make sure your processes are set up and people trained to require an out-of-band confirmation, such as calling someone on a known good phone number, before transferring money or sensitive info #AskKB4 https://t.co/PDlmy1qXDh
— Madsqu1rrel (@ErichKron) July 29, 2020
A3 As for voice and text phishing. This is far easier to set up and execute. And since a lot of users still find it hard to determine whether something is a fraudulent text or voice message, there is plenty of opportunities for the bad guys to be successful with this. #askkb4 https://t.co/yCzfyrbDxU
— JellySandwich (@JelleWieringa) July 29, 2020
A3: With their “hacker toolboxes”, cybercriminals vary attack vectors to get folks to be convinced of the event – #SMSing or #Vishing to convince people of bank changes,account passwords and click the link, phone the number #AskKB4 https://t.co/frJ0FMHJ1x pic.twitter.com/RfCgdkkaDE
— James (@James_McQuiggan) July 29, 2020
Humans will continue to be important
We then transferred the discussion to the vital role the human workforce plays in keeping organisations safe, especially when facing out of the ordinary threats seen today. Technology will always have its place in cybersecurity, but the importance of the human factor cannot be underestimated. Yet, this also begs the question: how much should be spent on technology vs training?
A4: Humans have always been a huge part and this has only highlighted that as they work form home with fewer technical controls and tools at their disposal. It’s important to realize that it is not their fault, but they ARE the ones targeted so often and get beat up #AskKB4 https://t.co/lI38Yf1nii pic.twitter.com/oCPql9qPtO
— Madsqu1rrel (@ErichKron) July 29, 2020
70% -90% of malicious breaches are due to social engineering humans, so helping the humans make better security decisions is THE best defense you can implement. #AskKB4 https://t.co/2LJ6JAx9lz
— Roger A. Grimes (@rogeragrimes) July 29, 2020
While I believe investing in the human workforce is vital.
Equally so, it's important for organisations to understand where tech controls are effective and appropriate, where procedures are needed and where and when to invest in humans and the limitations of each. #AskKb4 https://t.co/MPMNe2QA8d
— Javvad Malik v2.0 (@J4vv4D) July 29, 2020
A6: The money needed for annual training is a drop in the bucket compared to the money spent on technology. The training budget is the first cut when it comes to budget cuts for organizations. Provide education & training for the employees vs the cost of a new blinky box #AskKB4 https://t.co/4RHkC0lGDJ pic.twitter.com/9lQbLz6qeY
— James (@James_McQuiggan) July 29, 2020
A6: That depends on where they are now and how much ground they need to make up in one area or another. It also depends on the types of attacks they experience. I suggest using the approach @rogeragrimes takes in his Data-Driven defense book #AskKB4 https://t.co/Kv7RzhqSuy
— Madsqu1rrel (@ErichKron) July 29, 2020
Digging deeper into the training aspect of security, many may overlook the significance security awareness plays in the overall protection of an enterprise. Is there a perception that security awareness training is not necessary?
Yes. It may surprise some people, but we still get a small % of people questioning it's value at all. And we say just look at the data…anyone's data. Good security awareness training significantly reduces risk of compromise and I don't care who's data you use. #AskKB4 https://t.co/mXl3m0Ohpq
— Roger A. Grimes (@rogeragrimes) July 29, 2020
A7 I think a lot of organizations do value it. But find it hard to execute properly. Therefore, they go for the (easier?) technology angle. Showing them (through data) of the need AND the value in security awareness is the way to go to convince them. #AskKB4 https://t.co/KFNRvwro2I
— JellySandwich (@JelleWieringa) July 29, 2020
It also created a discussion amongst the evangelists as can be seen in this thread:
The money needed for annual training is a drop in the bucket: Not always
The training budget is the first cut when it comes to budget cuts for organizations: Any evidence to support this?#AskKb4
— Javvad Malik v2.0 (@J4vv4D) July 29, 2020
Surviving the current waves of cyberattacks requires the implementation of strong security culture – this should be paramount, but who within an organisation should be leading the way for this approach and how can one measure if they actually have a solid security culture foundation?
A8: It has not only to be talked about by leadership, but demonstrated as well. From the C-suite to line managers, it is important that leadership publicly demonstrate a proper security culture. #AskKB4 https://t.co/tdEjYWocMM
— Madsqu1rrel (@ErichKron) July 29, 2020
In an emergency or new event, most people revert to what they have been trained to do. So, training, no matter how you do it, is important to do. You just need to make sure the training is well done and relevant, however you do it. #AskKB4 https://t.co/rOU3MSE8c5
— Roger A. Grimes (@rogeragrimes) July 29, 2020
Use such metrics as "how many incidents have occurred or been prevented", using a Phish Prone Percentage of the employees. Create different scorecards for different roles, C-Suite, Finance, Developers, R&D, Service etc. #AskKB4 #scorecards https://t.co/WsFOO7pPFT
— James (@James_McQuiggan) July 29, 2020
Lastly, we moved onto password security.
We continuously read about poor password practises, whether its password reuse or sharing it with another person. So, has the password become obsolete or is there a future for this common layer of security?
A10: Every organisation needs to provide their employees with a password management application, just like applications for spreadsheets, email and databases. Add it to their corporate policies and require the use of it. People can learn it, like email and browsers. #AskKB4 https://t.co/WsFOO7pPFT
— James (@James_McQuiggan) July 29, 2020
If you agree or disagree or wish to continue the discussion, feel free to reach out to the Guru or any of the KnowBe4 evangelists on twitter with your thoughts.
