When leaving the office just before going on holiday, the last thing that many of us do is to write our out of office message. In a rush of excitement, many of us will write something like,
“Hello! CEO Joe Bloggs here! I’m on holiday in Florida swimming with dolphins and taking my 5 kids to Disneyland from the 15th until the 25th of July! If your message can’t wait, please get in touch with Head of Accounts Payable, Jane Smith, on 0800-PHISH-ME”.
>See also: Ransomware top of the class for phishing attacks
Whilst this seems normal, and paints Joe in an endearing light to potential customers and the like, he is giving out a lot of information that could help a hacker phish his organisation. With a little social engineering, they could use this information to prey on Joe’s company by phone or by email. Picture the scene – Jane Smith receives the following email:
“Hi Jane, this is James Doe from the accounts receivables department at Acme Inc. I just got off of the phone with Joe Bloggs and he asked me to get in touch with you about a wire transfer that needs to happen today to avoid interest charges. John said he’s too busy taking care of his 5 kids at Disneyland to do it himself and wants me to work with you instead since he won’t be back in the office until 25th July.”
As you can see, Joe’s out of office email provided all the info that the cyber criminal needed to prey on Jane.
It is in cyber security technology vendors interest to promote that tech is the answer to all your problems when it comes to security… but that’s really not true. The prominent point of view amongst tech vendors and security teams alike is that users are “unteachable” and this really needs to change.
>See also: How HMRC’s use of DMARC Helped it stop 300,000 phishing emails
Cyber criminals are spending a lot of time and resources trying to get to your users because they know that they are the chink in the chain, so it’s our duty as security professionals to face up to this challenge and include our employees within our cyber-defence strategies.
Here are “three R’s” in educating end-users: Reminding, rewarding and reinforcing…
Remind your users
Even people who know things forget them, or let them slip in priority or importance. However, when it comes to protecting the organisation against malware by spotting phishing emails, users really shouldn’t have the luxury of being allowed to forget.
Forrester Research, in a report from the end of last year, said that the best way to defend against phishing attacks of all shapes and sizes was to: “leverage[e] all available anti-spam, anti-phishing, and web control tools on your network, and by educating, motivating, and empowering users to act as a ‘human firewall.’”
Communicate cyber security best practices, and remind them about these on a regular basis. You can use current events to justify “special edition” outreach (such as the WannaCry attack).
>See also: 7 cyber security threats to SMEs and how to secure against them
Reward your users
When you reach out to your end users, give them the opportunity to gain rewards – this can be as simple as recognition for their efforts, or an actual prize (these don’t have to be massive, think gift vouchers or chocolates). Use brief quizzes, deadlines for completing cyber security tests, responses to surveys, submission of suspicious emails, or all of the above to engage and solicit input and feedback.
Reinforce your users
Some people are going to take longer to “get it” than others and thus are acting as a weaker link in your cyber security defences. These people should NOT receive reprimands – they should receive additional training and support. Ultimately, the way people are used to working is risky, so you need to put in a lot of effort to actively change behaviours. To be most effective, cyber security training must be frequent, easily consumed, and pervasive across the entire organisation. This may mean starting with your IT and cybersecurity professionals themselves in many cases.
>See also: Seasonal spam: the unwanted email gift that gives and takes
Of course, user education isn’t a one stop shop for cyber security education, as human error means that even the most clued up end-user could still click on a link or open an attachment in a phishing email if they were rushing on the way to a meeting or tired after a long day. That’s why end-user training should fit within a layered approach to cyber-security.
Effectively fighting and rapidly remediating against malware attacks means gaining granular, flexible control over your end users’ applications, devices and admin rights. Patching and updating your endpoints and servers quickly and consistently is also critical in preventing cyber-criminals from exploiting vulnerabilities within the system.
Sourced by Duncan McAlynn, principal security engineer and Evangelist at Ivanti
The Women in IT Awards is the technology world’s most prominent and influential diversity program. On 22 March 2018, the event will come to the US for the first time, taking place in one of the world’s most prominent business cities: New York. Nominations are now open for the Women in IT USA Awards 2018. Click here to nominate