A spear phishing attack over the summer led to a Canadian company paying $425,000 in Bitcoin ransom to free its computers. As we reported earlier, senior officials apparently fell for an old trick. Messages purported to be from a courier company that told recipients attachments were invoices for packages to be picked up, while the other messages asked them to open and print the attached document. That led to the insertion of malware.
As October Cyber Security Awareness Month starts the incident is another reminder that enterprise security is more than firewalls, anti-malware, behavior analytics and governance. It’s also about people.
”Perhaps security is getting better, in terms of how well things are configured,” says Michael Joyce, knowledge mobilization co-ordinator at the University of Montreal’s Serene-Risc information exchange, which is aimed at increasing public understanding of cyber risks and threats.
“People are paying more attention, putting more effort into hardening their systems – but not as much attention into hardening their personnel.”
“We can’t walk away from the issue of behavioral failure being the cause of cyber crime,” says Peter Cassidy, co-founder of the tech industry’s Anti-Phishing Working Group (APWG. “It won’t work any more. We can’t deny it and the [IT] operations people can’t get away with saying, ‘People. What can you do? They’re hopeless.’
CISOs “have to inoculate people from the kinds of behaviour that make them regularly and predictably useful for the completion of cyber crime. Everyone uses the term cyber crime and cyber risk, and the crimes may start over the Internet but the crimes are all completed between people’s ears – that’s not changed in the past 15 years.”
Some organizations and governments across the country will observe Cyber Security Month in various ways: Email campaigns, posters, sometimes intensive training. For many organizations it will be ignored.
Public Safety Canada has a Web site with suggested tools for CISOs and the general public. For example, it suggests campaign with a weekly theme (Week 1 adopts the APWG’s Stop Think Connect basic steps to cyber security; Week 2’s theme is Cybersecurity in the Workplace is Everyone’s Business; Week 3 asks people to be aware of Privacy Protection and the Internet of Things and Week 4’s suggested topic is Digital Citizenship, which includes proper use of social media and avoiding illegal downloading.
The B.C. government’s site also has resources for both IT pros and consumers.
The Anti-Phishing Working Group has a page of resources here.
Why there has to be a cyber security awareness month is a topic all its own. There are still consumers and citizens who feel cyber security is in the hands of IT pros. For others, it means boring office training sessions once a year, or seemingly vague advice (‘Look for something suspicious’).
There is seemingly no solid research on how widespread cyber crime is in Canada and the major causes of breaches. Canada loses 0.17 per cent of GDP to cyber crime, or $3.12 billion a year, the Canadian Chamber of Commerce estimates.
It may be more instructive to use data from Verizon Communications most recent annual Data Breach Investigations Report, which found 81 per cent of hacking-related breaches it had information on from around the world leveraged either stolen and/or weak passwords, 43 per cent of attacks were social in nature (email, social media), 14 per cent of breaches were caused by errors (such as misconfigured systems) and another 14 per cent of breaches involved privilege misuse. And 66 per cent of malware was installed via malicious email attachments people clicked on.
In other words, an awful lot of people-related things.
Which is why security awareness is vital. Over the years infosec pros have turned to newsletters, blogs, hiring trainers and other techniques. The question is what works?
“We don’t know yet because we haven’t come up with a rigorous way to measure the effect of a cyber awareness program,” admits Cassidy. “What’s been happening is a lot of broad awareness programs to teach people that they should be concerned about cyber security, and then training programs for people in industry. In the training programs there are ways to test people to make sure they’ve been inured with the skills they need to do the tasks they been asked to do securely. But at the basic user level we’ve not been able to take the temperature of the population and to figure out what cyber security awareness programs can be broadly applied to naturally change behaviour.”
Others are more positive. “What really hits home is if you can make it personal,” says Mohammad Qureshi, head of cybersecurity for the government of Ontario, whose staff includes a team of five responsible for educating the province’s civil servants.
“I equate cyber security awareness to health and safety: If there’s an organization – say a construction firm — all their health and safety programs are dedicated to how do you make yourself safe at home as well as in the workplace. With security education for an end user it absolutely has to be the same way. So if we can show them how to be safe at home, how to stop phishing emails, how to make sure when you’re traveling you can be cyber safe. If we can embed that train of thought into our staff at home they’ll bring the same safety caution into work as well.
“That’s typically when we see the biggest uptake. When we’re doing awareness and education it doesn’t stick just to our security policies and standards, because to be frank, that could be very boring. But if you can make it relevant to something in their personal lives people tend to pay more attention and retain more.”
His team also tries to throw in a few surprises during training to make sure staff are on their toes. At tabletop ‘cyber war games,’ trainers are not above tossing in an unexpected curve in the middle of a crisis that staffers have to deal with. “It really shows them how it could happen to us in our day to day work, and we relay back [to them] context to articles or media coverage in the world today. So its not just about you have to protect your information, its [also] about this is what really happens in the world.”
There’s a tendency by some to separate awareness for general staff from training for IT pros, says Joyce of Serene-Risc. But with staff allowed to bring their own devices or breaking rules by installing software and signing up for unapproved cloud services not providing awareness training for all is wrong.
“The other thing to do,” he adds, “is rather than just focusing the problems of not complying with security policy — which is a very negative way of providing information on what good behaviours are — look at the benefits of following good security practices: Not just the minimum required, for example, for a password to comply with security policy but what’s a good password. Looking at the benefits of having better security might influence more people to really take part in the security process. Because in organizations today it’s not just the IT personnel who have responsibility for security, it’s everybody in the organization.
“A breach can come from anywhere – for example, a business email compromise [target] could be a junior account manager. So rather than an awareness email (to staff) or a short video, having a more focused approach could provide better results.”
Cassidy agrees. CISOs “have to imbue all their employees with the knowledge that they themselves can be gateway to the treasures of the organization. It doesn’t really matter what their job is.”
Whatever your approach, experts agree that cyber security awareness training should be more than an effort once a month. It should at least run once a quarter.
Let us know in the space below what your organization has found works.
