Understanding best practices around shared login credentials is still a struggle for most employees.

A new report has found that the number one cyber-security related problem area for end-users within organisations is a lack of understanding around protecting confidential information. They study claims that employees particularly struggle to understand best practices around shared login credentials. With high-profile data breaches only growing in number and scale it is critical that end users, as the last line of cyber-defence within an organisation, understand how to protect sensitive information. A positive outcome from the report was that all industries are getting better at understanding how to identify potential phishing attacks – this is critical because if cyber-security technologies are not 100% fortified, all it takes is one click to become ensnared by ransomware. We spoke to Amy Baker, VP at Wombat Security Technologies, the company behind the report (titled 2017 Beyond the Phish) for more insight into the study’s findings.    

1. The Director of the NCSC (National Cyber Security Centre) recently stated “Cybersecurity professionals have spent the last 25 years saying people are the weakest link. That’s stupid! They cannot possibly be the weakest link.” What’s your take on this?  

With all due respect to the NCSC Director, we actually think that cybersecurity professionals are right about this — though our views on it are likely to differ vastly from theirs at the root. In our experience, the “people” that cybersecurity professionals consider to be weak generally are the non-IT employees in their organisations. In our way of thinking, people are the weakest link — but that is all people, including IT staff. And that’s simply because the human hand guides all aspects of business, including information security. Configuration errors…software and web vulnerabilities…data left exposed online…known issues left unpatched…default passwords unchanged…people are at the root of all of these security weaknesses (and more). But just as cybersecurity professionals can learn from their mistakes, so can end users. The real weakness is in dismissing the value of security awareness training, as that attitude perpetuates risks that could be managed more effectively via a more educated workforce. 

2. Is clicking on links and attachments within phishing emails the biggest cyber-threat that users can pose to an organisation? Or do you think your new report has highlighted equally damaging trends?

It’s hard to argue that phishing isn’t the biggest threat against end-users. It is certainly the topic that organisations are most likely to cover in security awareness training programs; for two years in a row, our Beyond the Phish data showed that phishing was by far the most popular category from an assessment and education perspective for our customers. 

That said, our report also showed weaknesses in areas that are directly related to data security, not just email security. In fact, the category users struggled with the most was around protecting confidential data. With GDPR looming, it’s obviously concerning to think that employees don’t have a good handle on how to safeguard personal, medical, and credit card data of customers and co-workers. Infosec teams definitely need to be thinking “beyond the phish” with regard to end-user-based cybersecurity threats that could negatively impact their organisations. 

3. Are there any particular verticals that you are particularly worried about? Either because they are consistently struggling with end-user cyber security awareness, or if the sensitive nature of their work demand a high level of cyber-security awareness which they are unable to achieve?

One thing our report showed was that, across all cybersecurity topics addressed and all industries that participated, there was a lot of consistency with regard to end-user knowledge levels. So it appears that, across the board, all industries are struggling equally with raising end-user cybersecurity awareness.

Of course, because some organisations — like those in healthcare, energy, defence industrial base, and other critical infrastructure sectors — deal with highly sensitive information and systems, lack of security awareness and knowledge amongst end users in these sectors is more concerning.   

4. Beyond the Phish found that users are struggling to understand how best to protect confidential information – What should organisations be teaching their employees to ensure that their data stays safe?

We think there needs to be a higher respect for data in general, particularly with GDPR compliance requirements taking effect in the near future. Employees should be taught that personal information is not limited to the more obviously sensitive pieces of data like credit card numbers, financial account numbers, medical records, and passport numbers. It’s not just about items that are immediate personal identifiers, but also about small pieces of information that can be used in combination to compromise someone’s identity or put their accounts, professional reputation, or even their personal safety at risk. Organisations should be teaching their employees to be very cautious about the types of information they share with others; to encrypt confidential data when on the move and at rest; and to properly dispose of sensitive information when it reaches the end of its lifecycle (either by shredding paper documents or using IT-approved methods for electronic data destruction). 

5. Why do you think that users are better at passing simulated phishing attacks than answering cyber-security knowledge questions correctly? If phishing is the biggest problem, is this necessarily a bad thing?

We think it really boils down to the nature of these different types of assessments. A simulated attack essentially captures responses to a specific type of phishing email. But one phishing example is just that — one example. There are many different techniques and tactics attackers use in email, so whether users do or do not respond to one attack isn’t necessarily representative of their understanding of the varied types of attacks that cybercriminals use. And with any phishing test, you don’t have a true measure of why users who didn’t click decided to stay away. Was it because they recognised the danger? Or was it because they were too busy to see the message? Or because the topic didn’t resonate with them? When you consider these questions, it’s clear that one day’s non-clicker could easily be the next day’s clicker, depending on multiple factors.

In contrast, question-based assessments allow organisations to get a better understanding of what users do and do not know about phishing attacks. They give a clearer picture of vulnerabilities than click rates alone because they can help infosec teams narrow in on particular topics that their employees are struggling to understand. They can then apply those results to their future awareness and training efforts and focus their phishing tests and education initiatives on these areas in order to close those knowledge gaps. 

6. According to Deloitte, 85% of the UK population (41 million people) now have a smartphone. Your report says that users frequently blur the lines between corporate and personal computing on their mobile devices – what are the ramifications of this?

When you perform personal activities on business devices — or vice versa — personal mistakes can impact business data. Think, for example, if someone downloads a dangerous app on their personal smartphone and then accesses a corporate email account on the same device. Or if someone accesses their personal email account on their work PC and falls for a phishing attack in that account. 

7. You highlighted using social media safely as one of the problem areas for end users. Is social media safety the responsibility of a) the individual b) the individual’s employer or c) the social media networks themselves? 

As an organisation, social media networks represent some of our most frequently used communication tools, so we are users of this technology as well as advocates for social media safety. Given the nature of these platforms, which are rooted in sharing, we feel that responsibilities are shared as well. Naturally, users must be smart about what they share and the visibility that they give others into their lives. Similarly, employers should set guidelines for what they feel are appropriate behaviours for their employees, and also help guide these users in how to protect themselves personally. But social media networks do have a hand in safety as well. They should diligently protect users’ data behind the scenes, work to eliminate imposter accounts, and make it easy for users to implement privacy safeguards, among other things.
 

8. The danger of bad passwords seems to be coming up in the news a lot at the moment. How can end users ensure that they have the best possible password – that is also memorable?

It’s a lot to ask of any person to create a unique, memorable password for each of the many accounts that are logged into during any given week. Frankly, password management presents an interesting conundrum for infosec professionals. In this year’s Beyond the Phish Report, we again saw that users are well-versed in password best practices. However, our User Risk Report — which compiled results from an independent international survey of 2,000 working adults — showed that, in practice, many individuals continue to repeat passwords across multiple accounts. These seemingly contradictory data points help to illustrate the fact that users can have a good understanding of the right things to do, but struggle to apply best practices because they too difficult (or inconvenient) to implement.

We think password managers and other technical solutions can prove very helpful in combatting password issues. We encourage infosec teams to identify the tools they feel are right for their organisation and to clearly communicate the benefits to their employees. For example, we feel it’s not particularly helpful to simply ask users to install a password manager. It would be more effective to recommend a specific tool and provide instructions about where to get it and how to install it. 

Amy Baker, VP of Marketing at Wombat Security Technologies