Joe Ferrara | November 26, 2012

The Final Frontier in the Cybercrime Fight

Security technologies go only so far; employees and cultures need to be trained

While the variety and sophistication of cybersecurity technologies has expanded exponentially over the last decade, the ability of organizations to defend themselves against security breaches does not seem to be improving. In fact, evidence suggests it's actually getting worse: A 2012 Hewlett-Packard study revealed that occurrences of cyberattacks have more than doubled over three years, with organizations experiencing an average of 102 per week in 2012, compared to 50 attacks per week in 2010.

As more and more business is conducted virtually -- on computers and mobile devices -- the opportunity for criminals to steal valuable information expands. To date, the information security industry has been primarily focused on using technology to address those risks. Not much has been done to secure the human element, and as a result, employees have become the primary attack vector of cybercriminals. In a recent survey by PricewaterhouseCoopers, 80% of companies reported security breaches caused by employees.

Technologies such as anti-virus, firewalls, intrusion detection and behavior-blocking components are undoubtedly essential in the fight against cybercrime, but, unfortunately, just about every cybersecurity technology engineered to protect computer systems and information can be accidentally circumvented by human interaction.

Information security has always required a delicate balance between usability, cost and strength. Building an impenetrable fortress would not only stifle employee productivity, but also would be cost prohibitive. In the age of IT consumerization, demands for increasing employee mobility and connectivity have made the challenge of maintaining a balanced approach to security even more difficult. Cybercriminals have been quick to exploit this fact to their advantage.

With cyberattacks growing in sophistication, amid evidence that cyberespionage efforts such as Flame are sponsored by nation states, many observers say corporate America is not doing as much as it should to mitigate the threat. New breeds of sophisticated attacks that target vulnerable employees - such as spear-phishing, drive-by downloads, poisoned search engine results and mobile malware - continue to proliferate, while the effectiveness of countermeasures lags behind.

The Weakest Link

Based on the sheer volume and velocity of attacks attributable to unsuspecting and under-educated employees, it is evident that something must be done to shore up this gaping hole in corporate cyberdefenses. Maintaining the status quo is no longer sustainable, as organizations cannot afford to spend increasing amounts of time, money and energy responding to these vulnerabilities.

Recognizing that humans are still the weakest link in the security chain, many security officers are re-evaluating their approach to cybersecurity training. Most employee-caused security breaches occur through ignorance rather than malice. The old model of herding employees into a classroom once a year (or upon hire) to sit through the boring, antiquated style of training session that emerged 15 to 20 years ago, has proven to be ineffective. The old once-a-year "check the box" approach to security training cannot keep pace, nor will the creation of a security policy by itself prevent breaches. Research by my company, Wombat Security Technologies, shows that tried-and-true attack methods, such as relatively simple phishing e-mails, are still hooking up to 60% of employees.

It is time for employees to understand the importance of security policies and learn how to put them into practice.

There is strong evidence that supports the effectiveness of education in getting employees to take an active role in cybersecurity. Research shows that organizations with well-understood security policies suffer fewer breaches; companies with an ongoing security awareness program reduce such incidents by 50%. Security officers that retire old PowerPoint training presentations in favor of new, interactive cybersecurity assessment and awareness training software are seeing positive results -- up to a 70% reduction in susceptibility to employee-targeted attacks, which translates to fewer breaches and lower remediation costs.

Program Success Factors

Here are five key education program tactics to successfully make people aware of security risks and motivate them to change their behaviors:

-- Prioritize and focus. Successful security training is a process, not a one-time event. Training solutions that include analytics help organizations assess human risk factors across multiple attack vectors including e-mail, mobile devices, social networking and passwords. This allows security officers to create a customized training program that addresses the most prevalent or risky employee behaviors first. The best results are achieved by setting realistic goals to modify two or three risky security behaviors at a time. As progress is made, more risks can be addressed with the addition of new training modules.

-- Make it digestible. Effective security training is about quality, not quantity. Training is better received when it is woven into daily work routine, using learning-science principles to build incremental success with "teachable moments." Interactive software training sessions can measurably reduce employee susceptibility to attacks in just 10 minutes. With administrative tools that allow security managers to schedule and deploy training modules or mock cyberattacks, security training can be presented in the context that a person will most likely be attacked. When an employee falls for an attack, a quick on the spot training session can help him or her better understand the risks and learn how to avoid similar incidents in the future.

Read the rest of the article at garp.org