Security Awareness Training Is No Longer Optional
If there’s any lesson to be learned from two recent Canadian data breaches it’s that IT security depends on a lot more than just deploying the right technology. It’s long been known that people are one of the weakest links in IT security. And yet I find it shocking how many businesses still learn this the hard way. It doesn’t matter whether you’re a small business or multinational enterprise, cybersecurity awareness training is no longer optional.
Worried you missed a spot in your clients’ security? Take our security assessment and build your offering on the right foundation
Damage from data breaches can be crippling
The financial and reputational damage done by cybersecurity breaches can paralyze businesses and government agencies alike. Last year, 23 Municipalities in the state of Texas were hit simultaneously with the Sodinokibi ransomware. The attack occurred through a software used by the municipalities. All it took to paralyze the local governments was a single employee opening a seemingly benign attachment.
And in more recent events, with the COVID-19 crisis, there has been a surge in fake email campaigns to gain malicious access to various systems. One great example of this is a message from the U.S. Department of Labour tricking people into opening a .DOC file with macros in it. Once the user accepts the macros, a file is automatically downloaded to the computer. Other such attacks include fake emails from Microsoft to gain user credentials by sending you to a fake Teams landing page.
These breaches can be avoided.
Better training can prevent breaches
Both of these cases demonstrate how data breaches can be avoided with better cybersecurity awareness training. That City of Calgary employee didn’t mean to do any harm. But they also were definitely not aware of how much could go wrong moving around large sets of personnel files. That lack of awareness made them careless.
That Desjardin’s employee was a malicious actor, however. It was their coworkers who didn’t recognize the risks of bypassing privacy rules. Their assumptions about a coworker’s intentions made them careless.
Neither breach was the result of a technological failure. They resulted from employees not knowing what they needed to pay attention to ensure data security.
And in my 20 year IT security career I’ve seen this same failure over and over. Here we are at the start of 2020 and social engineering remains one of the easiest way attackers gain access to data.
There’s strong evidence backing what I’ve seen firsthand. Kaspersky Labs found that a third of cyberattacks succeed only by exploiting social engineering. The remaining two-thirds involve some degree of technical exploit, but many still employ social engineering in part.
The answer is to be proactive
There’s no silver bullet. Be wary of anyone who claims there is. Because there are so many different threat profiles out there—everything from script kiddies to organized crime, and yes, internal threats—and so many attack vectors available to them on modern networks, enterprise cybersecurity requires a comprehensive approach. This is called Layered security.
Layered security is a methodology that assumes any single layer of protection will inevitably fail. So you design your overall security program to stop or slow threats as they try to reach assets deeper on your network.
Layers of security
On the technical side, this means integrating security throughout your organization’s IT infrastructure. Including at the network, transmission, application, and system levels.
We need human-level security layer
What I think is lacking is a comparable Layered security approach for social engineering attacks. These attacks don’t just walk in the front door, but when they do, they do so by using a security badge you legitimately provided. Threats that exploit people can attack all levels of an organization. They can go after front desk staff answering the phones and greeting whoever comes in the door. They can try to fool busy executives with access to confidential data and not always enough time to scrutinize every single email, website, or thumb drive they see. And yes, they can even go after IT security professionals who are human after all and can make mistakes.
Security awareness training needs to come from the top down. It needs to be conducted at all levels, and more importantly, be seen being conducted at all levels so everyone in the organization knows it’s important. This helps build a culture of security and accountability where policies are respected and everyone works to minimize risks. I call this Trickle Down Security
Some best practices I think every security awareness program should follow are:
- Establish buy-in from the executive level on down. Proper security training requires leadership.
- Then make sure all of those levels, even the executives, take security awareness training.
- Establish clear communication channels so the entire organization understands the goals.
- Set performance benchmarks. Security awareness is measurable! You can conduct testing after training sessions to see what information employees have retained. Or better yet, conduct mock social engineering attacks and assess results.
- Use real-world training examples and tailor them to your audience. Those front desk staffers should see examples of social engineering phone calls they might get.
- Make it ongoing. Threats in IT are constantly evolving. The training program you design needs to evolve just as quickly.
Any business can benefit from security training that emphasizes these points, even heavily process-oriented businesses. But these practices are especially important for businesses with highly valuable human capital, like knowledge workers.
Are you looking for easy security management for Microsoft 365? Learn how Office Protect makes security management simple
Just like implementing a single layer of network security won’t protect your infrastructure, training a single category of staff won’t protect against social engineering attacks. The Trickle Down Security approach is the most viable way to ensure that every organizational level is protected against the unique cyberattacks that might exploit their human personnel.
Desjardin’s and the City of Calgary learned the hard way about what can go wrong if you don’t. I hope other organizations don’t have to.