Awareness training is on the minds of many infosec leaders in the past four weeks thanks to the annual Cyber Security Awareness Month campaigns across the country.
But while much of the advice deals with ways of getting employees to sharpen their senses, there’s little help dealing with the few on staff who insist clicking on every link or attachment is necessary to do their job.
In those cases, says Bob Steadman, vice-president of security and compliance consulting at the Herjavec Group, which has offices in four provinces, the CISO has to start asking questions.
“I was in charge of security and privacy compliance at Loblaw,” he recalled in an interview. “At one time they were hiring 100 university or college graduates every six months, all millennials so there was an order to open up to Facebook, Twitter and other social media.”
Social media can be problematic: Staff post messages that can be read around the world that may damage the company’s reputation, and attackers can use the sites as another way to send malicious links nad attachments.
“I called a meeting and asked, ‘What’s the business need? There’s lots of wants out there, but what’s the business requirement?’ In this case it was to share things from one person to another. So I said, ‘Ok, there’s corporate email,’ and they said ‘They need to share documents.’, and I said ‘OK, we’ve got Sharepoint.’ Well, that wasn’t good enough. Eventually the CEO signed off and said, ‘We need this.’ Now the next thing is how do you secure it.
“The point is, is it a real business requirement that there isn’t some other solution for? And if it is truly a need that has to be fulfilled, then you have to find a way to secure it. The whole thing about information security is it’s a very delicate balancing act of not impeding the business but securing and controlling it to mitigate risks.”
Asked about mistakes infosec leaders make in awareness programs, Steadman cited three:
–“Not making it exciting enough, especially in this age of social media and short attention spans of people. If you don’t capture their attention very quickly you can lose an audience very quickly;
–Not enough repetition. Not only do you have to send the message in different ways – email, newsletters, posters, the company Intranet, games – it also has to be done repeatedly. “People learn differently,” he said. “Know your audience, keep it simple, hammer it home.”
“There’s a bank in Toronto that does an annual calendar people hang up by their workstations. Every month there’s a different poster around security awareness, so it has that daily message, but changes monthly.
“Everyone likes freebies, so we helped a company with a keychain that has a fob the shape of a key. It has the company name on one side and on the other the message, ‘You Are The Key to Security.’ I know its somewhat corny, but it got the message across: Everybody has a responsibility with regard to security”
— Make sure you’re getting feedback and getting the desired result. Online tests, phishing tests, quizzes, fun exercises are all are valuable for gathering metrics. And don’t forget to test physical security including seeing if the help desk falls for phony password requests, if employees will plug in a USB key you drop on a floor and even if they can be tricked into allowing strangers into the building.
“All of these things are pieces of the puzzle … and fit them together will make it work”
John Pescatore, research director at the SANS Institute, is among those who urge infosec pros relate training to the employees’ personal life. “We’ve found its much more effective to talk to (staff) about the possibility of losing their own data or their own identity than the traditional way of saying, ‘The company’s information needs to be kept private.’”
“So if you teach them how to be suspicious of a phishing message at home or you find a suspicious credit card transaction or an email about a FedEx package, it actually works. There’s much more behavioral change than if you’re constantly saying, ‘It’s your responsibility to do this with the company’s data.’”
Remember also that training should include senior management and board, he adds. This program may need to be tailored to them.
He emphasized the goal of training is behavior change, not simply, ‘We told them not do to that, therefore it’s their fault when they do it.’ In line with that, don’t forget the importance of policies to reduce risk staff will open opportunities to attackers. So for example, make maximum use of email controls to reduce a number of phishing attacks.
Neil Bunn, CTO at Scalar Decisions, a solutions provider with a security practice that has eight offices across the country, echoes the need for tailored training to their organization, including groups within the firm.
“We do phish our own executives so they see how targeted it can be,” he said in an interview. “Not so long ago we crafted a very sophisticated-looking change in a flight notification from an airline with dates that corresponded with a conference that many technology executives attend.” The message, asking the recipient to enter their reward card password, had an airline logo and “pristine” language.
A lot of execs did click on the link, Bunn said, which took them safely to a page with a message: ‘This was a test and an example of how sophisticated a targeted attack can be.’”
But despite the meticulous email, there were at least two clues it was a fraud: There were mistakes in the URL, and many of the exec weren’t registered for the conference. The point of this exercise both to teach staff not to enter passwords in email messages, find out how many would ask their executive assistants if they really booked that flight, and make staff realize phishing comes in many formats.
Starting a ‘Spam Bounty’ program, rewarding staff for forwarding links or attachments to the security team, can also be valuable, he added.
“Too many (infosec pros) default to, ‘I had 80 per cent of people didn’t click the link, therefore I passed,’” Bunn added. There’s no passing grade in cyber security. Even if you;re 100 per cent today, you won;t be tomorrow because people are going to change and the threat is going to change. And 80 per cent isn’t great anyway.” So sometimes the training – depending on metrics — needs to be more sophisticated, or more emphasis on fundamentals.”
There is a place for disciplining repeat offenders. “The foundation of everything that exists in an organization is policies,” said Steadman, “and a (security) policy should state that all employees will abide by the policies and non-compliance will be dealt with appropriately, up to and including dismissal.
“If they’re flagrant in their abuse, yes, I’d say that’s an activity that can be dealt with harshly.”
But Bunn urges having some perspective. “The reality is even the smartest, most sophisticated security professionals can get lured in accidentally … The only way to get around that is by having muscle- memory of skepticism and of security awareness.
“The moment you are judgmental you’re creating a negative atmosphere around cyber security. Some attacks will get through. The question is how many can you prevent, how quickly can you detect the attempt, how quickly can you detect a successful attempt. User awareness training is one fundamental part of that and you need them to participate and not to be fearful, because they’re your early warning detection system.”