How to train your staff so the knowledge will sink in!
July 30, 2018
Vendor View: Jake Moore, cyber security specialist at ESET UK on hacking humans for the better...
What I have learnt over the last few months is that there is most certainly job security in computer security.
I have spent a lot of my time looking into business security and checking for any vulnerabilities concerning IT threats, and I have found it is often the human behind the screen that poses more of a threat than a lack of computer security.
Many local companies I have spoken with have identified their company’s highest cyber risks; they have done the research and know about the attacks that pose a threat to their data. However, very few identified, or do anything to protect, their most vulnerable area – their staff.
Depending on the company and staff member, access to data varies from limited access to open access. With this in mind why would a hacker attempt to penetrate a site from an external source when all they have to do is target the weak links that can do all the hard work for them? It’s easier, quicker and frequently offers a more positive result.
Dressing in a high visibility jacket asking where the server room is holding a fake badge, or waiting outside a company door holding a large box with both arms outstretched will undoubtedly result in someone opening the door with a smile. The thing is people are too nice. They feel guilty when questioning others and attackers take advantage of this weakness. So why do we not train our staff to be more aware of these threats?
Staff awareness of security can be measured in many ways. A simple approach is to send a fake phishing email to all staff in the organisation with a link attached. This link records how many members of staff click the baited link, which could have potentially caused damage.
Another option is a more in-depth staged test. One company went as far as to place USB sticks around their company car park to see how many members of staff would pick them up and plug them into their work computers in an effort to establish ownership. These innocent acts, conducted in good faith, could potentially leave the company network vulnerable to a whole host of executable malware. It could theoretically take any business, big or small, offline and without an up-to-date disaster policy in place, could feasibly wipe them out completely.
Training staff is an easy solution to potentially catastrophic consequences of relaxed security. However, fraudsters are becoming more creative and calculated.
Social engineering is a more complex fraud scheme than the traditional ‘con artist’. It refers to the psychological manipulation of people for the purpose of information gathering, accessing systems or conducting fraud of any kind.
Fraudsters manipulate and trick staff into trusting them with their personal data. They gain the confidence of the staff member and through conversation obtain personal details that could be used as variations of their passwords. Their kids and pets names, their first car, where they were born or even their mother's maiden names, can all be obtained through social engineering and used as ‘a way in’.
It is not all doom and gloom: the best defence is knowledge. Now you know about the potential risks to your company, training can be put in place to educate staff and protect your business.
I know this is not a quick win, but it is a significant step in the right direction. If it makes one person in an organisation think about whether to open an attachment or not then the awareness training has been effective.
Every office around the world does multiple fire drills every year. They will have appointed personal that staff need to follow in the event of real fire. Why doesn’t this exist for cyber-attacks?
Whom should your staff talk to if they think there is a breach? Would they even recognize the potential signs that there has been one?
How would your staff react to finding a USB in the car park or on the pavement outside your office? Or an email from the manager of a different branch drops into their inbox asking them to confirm some financial information that they’ve forgotten or misplaced?
If you can’t answer these questions definitively then you need to start reviewing your staff security training and security policies right now.
I’ve been to see companies that tell me their restore time on a breach would be no longer than four hours, however when I’ve prompted them to conduct a test it still hasn’t been up and running even 24 hours later.
It’s all well and good thinking you know how your employees will react in a given situation but until you can test that knowledge and training it won’t truly sink in.
It’s crucial to train your staff and turn what is often considered the “weakest link” into your strongest asset, but until you test that training in a controlled environment you can’t know how they will react.
Speaking at teissLondon2020, Bridget Kenyon, DIS EMEA CISO and Information Security Programmes, Thales, defines behavioural economics and how it applies to security. teissLondon2020 | The European Information Security Summit