Research and general public opinion about security campaigns and why they fail puts the problem down to a lack of organisational buy-in. They suggest that the company strategy is wrong, the executives aren’t bought into it, business and security goals aren’t aligned, or that policies haven’t been effective…
These reasons make logical sense but don’t really capture the ‘human’ element. Security awareness campaigns fail because they do not connect with your employees. Simply put, no one thinks they will be that stupid. There is a false confidence that these types of attacks happen to other organisations or other people, and the people who do fall foul of social engineering attacks must be idiots. Mustn’t they?
Society often portrays the victim of these types of crime as incompetent. My experience is that these people are teased by colleagues who underneath it all are just pleased it didn’t happen to them. The truth is, mistakes do happen, occasionally people don’t stop and think, but no one is infallible to the types of sophisticated attacks that are unfortunately becoming ever more common.
Your staff are well-trained and keen to be of service – this is inherent in the way that we, as businesses, want our staff to behave. To anticipate the customer’s needs before they even know they have them is an important skill that all customer-facing staff develop over years of service. Most large organisations survive not only on the strength of their products but also on the services they provide along with them. To question a customer is almost unheard of; after all the customer is always right, right? Good customer service is a high value commodity to your organisation but it can also be a foot-hold for a malicious attacker.
Security awareness campaigns based around endless PowerPoint slides or posters up in the bathrooms and kitchen of your office are passive advertising. These are boring ideas that do little to capture the interest of your employees. The all-too-common attempts at applying humour to the scenario only succeed in downplaying the seriousness of what this kind of breach can really do to an organisation. The outright disruption it can cause and the amount of money that can be lost can be catastrophic. This is also before considering the psychological and cultural affect it can have on your business. After all, if an email is spoofed to look like it has come from an internal email account, suddenly communication is no longer sacred. The culture you have worked so hard to create is eroded, as when a house has been burgled, the inhabitants can feel violated and trust is broken.
The best way to avoid this kind of disruption is to prevent it. After all, we already know that security awareness campaigns are at best a sticky plaster and at worst just a means of dumbing down the individuals or using humour to demean the victims of such attacks.
If you downloaded this article, did you check first to see what type of file it was that you were downloading? Is this something you always do? If you are in the security industry, I hope the answer is yes, of course! Now, how many of your co-workers, friends and family do you think check? Would they even know what the letters after the dot mean?
In order for Security Awareness to work, two key things need to happen:
There are several key areas which need to be addressed under the umbrella of “Security Awareness Training”. Some, like clear desk and data handling policies, should be part of internal processes. Others, such as awareness of phishing attacks, are harder to educate people on as they are not necessarily thinking about the training they have been on, when they are reading through their emails. Timing is the issue in this instance. It is vital to incorporate security into your businesses working practices so that it becomes part of business as usual.
Campaigns, like projects, by definition come to an end. Security Awareness should be integrated into the business so that it becomes part of business as usual rather than something that is registered and then forgotten about. The best way to educate people is to get them to think. The world of advertising has multimillion pound budgets and even then how many really stick with you? Businesses simply cannot afford the luxury of marketing the idea of phishing attacks: most do not have the budget for it, and the chances of it succeeding even in the short term are not very high.
It is widely known within the security industry that the human element is more often than not one of the weakest links. The mentality of upgrading to the latest version or applying a patch is a common and logical way to view problems – and the IT community is full of very logical and intelligent people. The human element or the softer side of IT security, however, can remain a bit of a mystery.
In order for security to be a consideration, it needs to become part of the social norm within your organisation. There needs to be a culture that does not try to blame the individuals who make mistakes, but instead questions how the mistake happened and looks to provide controls and mechanisms to avoid a re-occurrence.
Understanding where your organisation is susceptible to the types of attacks is the first step. If your business records incidents, then this will be a good place to start. In learning from the past, you can begin to shape the future. If, for example, the majority of incidents surround viruses that have been installed onto your users’ machines, then a review of your anti-virus software or your standard build would be advised. It is also worth reviewing how these incidents occurred. Were they through emails sent to an employee who unwittingly downloaded a payload?
In the same way that you test your business’s internal response to business continuity, so you should look to test your employees’ reactions to phishing-style attacks. Phishing is an area where many businesses are susceptible to an attack, so controlled phishing attacks can be a great tool. They can not only highlight potential incidents (broken down by department or location) to the board, but they can also inform the individuals that clicked on the forged link that they were duped, creating greater sensitivity and security awareness around suspicious emails.
There are a number of approaches that, when combined, can dramatically cut your employees’ susceptibility to phishing attacks:
Individuals who fall foul of social engineering attacks should not be considered as the exception or in any way unique; they were most likely just unlucky. For security awareness to be successful, it needs to be ingrained into the culture of your organisation. Without the appropriate context, the security messages from posters or presentations are lost. A blame-free culture should be fostered so that your employees can alert you if they feel that a mistake has been made. You can learn from your own mistakes – incidents can and should be recorded – and these can then provide you with an insight into the types of security issues facing your organisation.
Education and awareness of security, successfully adopted throughout your organisation, can have a measurably positive impact. From a return on investment perspective, controlled phishing attacks can see the number of employees susceptible to these attacks decrease by 25% or more per assessment. Most organisations should see overall susceptibility reduction of at least 90% after a year of quarterly controlled phishing assessments.