People still fall for phishing scams, open up attachments on spam messages, and visit websites claiming to have exclusive video footage of the latest scandal du jour. The average person’s ability to stay safe online hasn’t really changed.
We are bombarded almost daily about the latest data breaches. Many of us have had our credit cards replaced, not just once, but maybe even twice or three times, because of breaches at our favorite retailers and brands. The average Internet user is much more aware of how criminals are stealing identities and personal information, but that hasn’t really translated to more savvy users. We have to change how we communicate with our users and executives if we want to improve our overall security posture.
Every organization wants aware users who won’t fall for scams and tricks. Attackers send out dozens, hundreds, and thousands of lures, because all they need is one victim. One victim who thinks that bank notification in the email is legitimate and opens up the attachment, and the attackers have the keys to waltz in. But it’s not reasonable to expect we can get to the point where every user will be able to detect and avoid every potential attack.
Sure, you can have the rule that you don’t open Word attachments from people outside the company, or from people you don’t know. That’s going to make the recruiting team’s job harder, since by definition, prospective employees tend to be unknown, and they may send resumes and other supporting materials. So instead of blanket rules, we need to be thinking of ways to increase everyone’s skepticism level, but also to deploy technology that supports the users.
To continue the recruiting example, if the company decides that all job applicants should cut-paste the text of the resume in the email, that would reduce the potential of malicious attachments from that vector. Or better yet, partner with a portal site where applicants would upload all files. With the technology in place, a security-aware recruiter would know that an email with a resume attached may not be legitimate (or just a very careless applicant!) and take appropriate actions. Such as reporting the email to IT before opening it, or just trashing it to be on the safe side (and reporting to IT anyway).
Most organizations have some form of security awareness training for their employees, but they still rely too much on the once-a-year model. Security awareness training is commonly conducted as part of the new hire orientation, or offered as a mandatory multi-hour training session once a year. Users don’t really enjoy these sessions, grasp the material, or internalize the lessons. There are definite drawbacks to this approach.
Change The Culture
Security needs to be part of the culture, just like the way the team goes out to celebrate a win, or monthly breakfasts and lunches where people get to spend time together away from their desks. Security needs to be a way of life. Don’t just deploy some software, conduct a training session, and consider yourself done.
Put up signs in the office reminding people not to provide passwords in random forms, promote good password hygiene, and have frequent training sessions so that users know how to look for clues in phishing and spam emails.
If there is an attack IT is aware of, or someone reported, use official channels to inform everyone else in the organization—hey, that email with an article about a conference that just happened? Turns out it is spam, so don’t open it. That email claiming to be from the CFO? It’s not.
But there should be no victim-blaming. We aren’t trying to train our users to be perfect—that’s not realistic. Create a culture where as soon as the user relies, oops, I screwed up, they won’t be too embarrassed to report the incident to IT. The sooner you know there’s a problem, the sooner you can take action. Users are the front-line of defense, but just like every military campaign, you assume the front line would break, or the attackers would flank and attack from the rear, so you need to have layers of defenses to ensure malware and other attacks are still detected and blocked. Don’t rely on the users to stop all attacks—they aren’t security professionals.
Don’t get so bogged down with the exotic malware and threats that make the headlines. Communicate what the current or emerging threats look like so they’re prepared to recognize and avoid those threats. If you communicate consistently, you will significantly improve your overall security.