It’s well-recognized that staff negligence ranks top of most companies’ insider threats to security. But in our experience, many are failing to mitigate the commercial, reputational and regulatory risks posed by staff inadvertently exposing sensitive corporate data to fraudsters.
In fact, it’s vitally important that information security practitioners pay as much attention to the human side of combating cybercrime as to the technical. We usually tell clients that security is a process, not a product, and without considering it in this way, any technology solutions you put in place will undoubtedly be undermined by social engineering.
Here are five key lessons that organizations typically learn as they progress along their information security journey.
Engage Staff from the Outset
As with successful training in any field, the best approach is to work on engaging your audience before getting to the nitty gritty of what you want them to take on board. Rules that are thrust upon people, without due consideration to whether the rationale behind them has been explained, are more likely to seem draconian and ultimately be ignored (or purposely circumvented).
So to avoid the perception that your security protocols are a hindrance and to pave the way to a receptive response to your technical training, it’s essential to start with a clear and engaging illustration of the real consequences of a data breach. Until the worst happens, staff often simply aren’t aware of the impact of clicking on a phishing email, for instance. In one recent case that we dealt with, it emerged that the cyberattacker had set up a forward rule on a member of staff’s Outlook account and had received every email over a five-month period. There are usually some shocked faces when realities like this hit home.
Once you have created the necessary levels of engagement among your users, you can turn to educating them on ways they can help to protect your data. Some of the essential techniques we advise covering are: encrypting emails, creating secure but not overly complicated passwords, how to spot a phishing attack and where to save data so that it doesn’t evade your security controls. After all, you can’t protect and secure data you don’t know you have!
Formulate policies and processes
As well as creating a detailed information security policy and communicating it effectively to staff, it’s imperative to formalize your processes for training and incident response.
For instance, it’s imperative to have an incident report procedure that replicates the culture of transparency and accountability typically found in the public sector or in other highly risk-aware industries such as aviation.
This ensures that after a potential threat has been discovered or a mistake made—such as an employee sending a sensitive email to the wrong client—IT are informed, regardless of the outcome. Security managers are then able to keep their finger of the pulse of the organization’s true ability to combat threats so that they can continually review processes and training. Of course, the success of this initiative rests firmly on our first point: engagement. Security-conscious staff who are on your side will feel motivated to champion best-practice information security and take an active role in ‘policing’ it.
Check Policies Are Being Followed
It’s no good creating strict policies if they aren’t followed. Companies should certainly monitor how well staff understand and adhere to rules, but when it comes to enforcement, they should guard against instilling fear of reprimand because this will merely discourage the workforce from flagging up dangers and mistakes. As we’ve just discussed, it’s best to aspire to a culture of security where people can be open, share knowledge and contribute to process improvement.
Security training can be embedded into HR procedures, and reinforced by departmental and line managers in regular meetings so it becomes business as usual.
Ensure Security Testing Covers Human Angle
Penetration testing and red-teaming are designed to test your organization’s cyber defenses, exposing both technical and human vulnerabilities. Pen testing should be conducted not just annually but after any significant change to your IT infrastructure, network or applications.
Testing of this nature will open your eyes to precisely how many of your users click on a phishing email, giving you the necessary insight to adapt or refresh security training or processes.
Red teaming in particular is gaining in popularity as the value of corporate data soars and cyber risks escalate. Based on the premise of simulating the techniques used by real-life attackers, the exercises determine whether it’s possible (or, realistically, how long it takes) for an outsider to infiltrate your network, and once they’ve gained a foothold, to explore how far they could get—for instance, whether they could gain access to full administration rights.
Unfortunately, such exercises usually confirm humans as the weakest link, compounded by technical vulnerabilities. In a recent testing exercise we worked on, the CEO himself fell victim to a phishing email and we were able to access his entire laptop, complete with sensitive work information. The absence of two-factor authentication on the company’s emails also played a contributing role in the breach.
Many of these techniques to reduce the risk of human security failings may seem basic but, in combination with technical measures, they are fundamental to improving your overall security posture.