It’s widely recognised that even armed with all the cybersecurity protection technology and expertise in the world, the human users of your network still represent a significant risk to data security.
So while you can block virtually everything from getting into – or out of – your network, it’s not a great recipe for productive or efficient working. Nor can you control 100% of your employees’ actions or responses to emails.
Total elimination of employee security risk and vulnerability will always be high on the wish list for network and security managers, but practical tools to bring this about are simply not available.
As one person at a recent event was heard (we assume with tongue in cheek) to say: “The only way to totally eliminate employee security risk is to totally eliminate employees”.
For this and many other reasons, many organisations are increasingly turning away from the ‘lock employees down’ or ‘zero trust’ mentality and instead investing in converting human assets into valuable data security assets.
A growing menace: phishing and spear phishing leading to ransomware attack
According to a recent report from security specialist Symantec, ransomware attacks against enterprises were up by 12% in 2018, accounting for 81% of all such attacks.
In turn, many of these originate as phishing emails. According to cloud security company Avanan, “1 in every 99 emails is a phishing attack, amounting to 4.8 emails per employee in a five-day work week.”
This makes for very sobering reading, and strongly suggests that organisations should be applying security resources to preventing these types of attacks from succeeding.
Helping employees become a key line in network defence
One suggestion is to transform employees from being the biggest risk to cybersecurity into a key line in network defence.
To bring this about, they need to be trained and educated on how to spot email scams and what to do quickly and decisively if they mistakenly click on a malicious link.
By way of example, consider of an unfortunate Scottish media company employee who was duped via a phishing email into transferring almost £200,000 to a scammer masquerading as her boss, the company’s Managing Director.
Such “fake” emails – from criminals purporting to be a company boss, a supermarket, delivery firm, bank or IT company – are increasingly common, but are not impossible to spot for an educated recipient.
And therein lies a possible way forward.
Educating employees in security awareness
A workforce that is educated about, aware of and vigilant to the risks and types of cybersecurity threats is far more valuable than one where employees believe that dealing with security is someone else’s responsibility.
Yet achieving this requires investment and time.
It may also require the services of a specialist cybersecurity consultancy to plan and implement, and it almost certainly needs monitoring and testing to make sure that results can be measured.
Most importantly it often needs a cultural shift from stakeholders at every level of the organisation from the boardroom down to the cleaners.
Without a fundamental belief or buy-in to the nature of the threat, the risk it brings and the need for a solution, success can’t be guaranteed.
Addressing the problem head on
Training employees to spot the sorts of email scams that can turn into ransomware incidents may sound straightforward. But done properly, it should be part of a broader security awareness training programme.
In addition to training on how to spot phishing attacks, key elements of security awareness programme* might include:
- Data management
- Removable and portable media
- Social engineering
- Safe surfing
- Email scams
- Physical security
*Read more about security awareness training here.
To support this point, following phishing simulations and subsequent security awareness training, Symantec found that staff were “2-3 times more likely to report suspicious activity” than they had been 12 months before.
The starting place: phishing simulation
The best place to start with security awareness training is a phishing simulation exercise.
A key reason for this is that a barrier to success with security awareness training can be employee apathy.
It’s also common for there to be a prevalent – and misplaced – belief (sometimes also on the part of IT staff) that the technical cybersecurity measures alone such as email filtering and web content filtering are 100% sufficient for protecting the organisation.
How do you get buy-in to the requirement for security vigilance, as well as the need for staff to report suspicious looking emails that could be scams? And how do you get them to do this meaningfully, regularly and consistently?
The answer can only be to prove to every individual in the business that even the most tech- or security savvy employees can be duped into falling for a phishing scam.
The proof can be obtained only through a phishing simulation campaign which runs over a period of weeks or months, and which:
- Mimics genuine, powerful phishing email campaigns used by hackers on the dark web
- Captures data from user interaction with these phishing emails over time
- Collates and generates reports to show the results
- Highlights which users, at which times, clicked on which bogus emails
- Paints scenarios for the staff of what ‘might’ have happened had the phishing simulations been genuine scams.
This phishing simulation report can then be used by senior managers to come to view on how vulnerable the workforce is to email-borne security scams and therefore what the risk to the organisation is of falling victim to a breach such as ransomware attack.
From there, a security awareness programme can be developed and rolled out across the workforce.
Timescales can vary from ‘emergency timetable’ where immediate, short term remedial measures are put in place, to longer term, comprehensive programmes that are sustained over an extended period.
Different organisations may take different views on ‘naming and shaming’ or creating competitive ‘league tables’ among individuals, teams or different offices and business units to see who can spot and report most scams.
The important point is to lay the foundations for this and give them practical and effective tools for identifying and reporting.
Alliance Solutions offers security awareness testing and training, including phishing simulation campaign service.
Contact us to discuss scoping and rolling out your phishing simulation campaign across your organisation either on a standalone basis or as part of a wider security awareness programme for your employees.
Contact us for more information on 0800 292 2100.