Joe Ferrara | October 11, 2016

Trained Employees Are The Best Defense In The Cyber Security War

Not long ago, the Department of Homeland Security directed extra attention to voter registration hacking threats. The recent news that the Arizona voter registration hack came from an email that looked like it was from an employee reignites the conversation on the importance of cyber security training, particularly among government agencies.
This seemingly minor user misstep points to the detrimental consequences lack of security awareness and training can have on government entities in particular. Most average consumers aren’t aware spoofing emails of trusted sources is very common in phishing attacks, and many think it’s a difficult process for cyber criminals to successfully bait an employee.

While we can’t speculate on the specifics of the Arizona voter registration hack before they are confirmed, we know that in general cyber criminals take advantage of the fact employees are conditioned to say ‘yes’ to authority figures. Without the right training, it can be difficult for employees to identify phishing emails from safe emails, particularly if they appear to come from a superior title.

Attacks can be very sophisticated, as they are no longer out-of-the-blue emails with poor grammar and terrible formatting. Cyber criminals can put significant time, in terms of days or weeks, into an attack, establishing a relationship with the targeted employee. The criminals may ask for innocent pieces of information along the way and after becoming a trusted source, persuade the targeted employee to expose sensitive data or give away their credentials.

Key points organizations must keep in mind include:

  • Spear phishing continues to be the most effective attack vector for both amateur attackers and nation state attackers.

Where a phishing email is a malicious email disguised to look like a message from a legitimate source (like a bank, a package shipping service, or your HR department), a spear phishing email, as the name implies, is more targeted and includes personalized information about the recipient. A spear phishing email could be disguised to look like a message from your HR department or your boss, with specific content such as your full name, internal information, and company logos. Each of these “trust tokens” make the email appear more legit — and this, in turn, drives open and click rates.

Employees who fall victim to spear phishing attacks put entire organizations at risk. The malicious links and attachments hidden in spear phishing emails may allow criminals to plant malware in a user’s machine. From there, they can gain access to an organization’s network, other user’s computers, steal intellectual property, or just wreak havoc on the network. Even if attackers don’t end up stealing money or IP from a company, it’s not “no harm, no foul” as the full impact may come later.

There is no solution that will have you covered 100%, but training your end users through simulated phishing attacks provides them real exposure and helps them learn to identify and avoid spear phishing emails.

  • Today’s security technology is not 100% effective. Technology is important, but it will never catch every attack. This speaks to the need for end user training and a commitment from management to acknowledge security threats and establish a culture of “smart skepticism” among their users.

A user who is aware of an issue like spear phishing knows what to look for and how it can affect them. Training gives the user the opportunity to put their education into action, practice it, and demonstrate that they understand.

Like any technology asset, maintaining an active security posture is not only possible, it is essential. Regular, ongoing interactions with users create opportunities for engaging assessment and remediation activities — and our data shows that these exercises and teachable moments can reduce user-based risks, particularly those associated with phishing attacks.

  • Organizations should absolutely be prioritizing end-user cyber security education. Benefits are seen when you create a culture of security, as educated employees are far more likely to immediately question an unsolicited request for sensitive data. They will also be able to recognize when phone calls, emails or social media messages are outside the scope of ‘normal.’

The results reflected in the Managing Insider Risk through Training & Culture research shows only 35% of respondents said their senior executives have made end-user security awareness and training a priority and 60% say their employees are not knowledgeable or have no knowledge of the company’s security risks. These numbers should worry you.

Challenge the way you think of cybersecurity education. Think of it not just as a “check-the-box” activity, but also a “fill-the-bucket” activity. A once-a-year, soup-to-nuts presentation or video about all things cybersecurity allows you to check the box, but does it allow you to fill the bucket and keep it fresh? A year from now, what will the contents of that bucket be like? Think of water that would sit, untouched, for a year. Not so fresh, right? What (other than Twinkies and M&Ms) could withstand a stagnant period of that length and still be of value?  Cyber security education is very similar.  If you only train your employees once a year, your results will be less than stellar.

Take a different approach to employee training, delivering short, bite-sized, palatable bursts of information that can be used to nourish end users’ understanding year round. Can you check the box? Absolutely. The difference is in how you fill and refresh the bucket. Regular infusions of awareness and training keep things fresh and interesting will improve your results.

  • However, organizations need to train “beyond the phish.” Email compromise and phishing attacks are far from the only threats from attackers looking to gain a foothold within your organization.

Our 2016 Beyond the Phish™ Report reveals many cybersecurity threats that are prevalent today — including oversharing on social media, unsafe use of WiFi, and company confidential data exposure — are not well-understood by end users. These activities are not only dangers in their own right, but also are contributing factors to the ever-expanding phishing problem.

Recent attacks prove there are many security exposures that originated outside of email attacks, including wireless network, software vulnerabilities, portable device safety, lack of encryption and much more. That said, organizations must keep track of all types of emerging hacks so they can educate their employees properly, making it tougher for cyber criminals to access companies’ confidential data.

Always remember forewarned is forearmed.

About Joe Ferrara

President and CEO, Wombat Security Technologies, Inc.

Joe Ferrara is the President & CEO of Wombat Security Technologies, a leading security awareness training and assessment company. Joe has provided expert commentary and has spoken at numerous information security industry events including the CISO Executive Network forum, ISSA International and regional conferences. He brings over 20 years of experience in technology marketing, operations and management to his role at Wombat. His previous roles include President, CEO and Chairman of Tollgrade Communications, CEO of Marconi Communications North America and General Manager of Ericsson’s Wireless Software & Services and Routing & Switching Divisions. Joe is also a Board Member of Voci Technologies.