On a regular basis, reports are being released showing the skill and persistence of attackers. Advanced attacks such as spear phishing, watering holes booby-trapped with custom malware and 0-day exploits, even entry via supplier links are all being reported on an almost weekly basis. And all of these attacks have one thing in common – they target individuals.
Generally, we still see that most organisations rely on traditional security controls in the form of technology such as AV, firewalls, SIEM etc to protect their critical assets. However, the increasing importance of employee security awareness is often overlooked and instead only basic awareness training is given, focussing available resources on deploying and testing traditional security controls.
People and process are frequently disregarded when it comes to improving security posture, partly because the security risk they pose to an organisation is difficult to measure and track. This a crucial issue with cyber security and has been for many years. Those organisations that take a traditional risk-based approach to security will struggle to get buy-in from senior management to address a risk that they haven’t been able to quantify, or even prove exists in many cases.
The problem is that as the perimeter security of organisations increases, attackers are looking away from penetrating hardened external infrastructure and technology to a much weaker area: employees. This is for the simple reason that an organisation that already recognises the need for technology and security solutions will, for the most part, harden their perimeter security to the point where an attacker’s easiest way in is to target the employees.
At this stage, not investing in improving the security of personnel and processes will almost entirely undermine the investment in most technology-based solutions, as an attacker will just step over them.
With so much information regarding an organisations employees available online, the most common way to exploit employees in an organisation is a phishing email that targets the user and attempts to attract them to click on a link or attachment. These can be anything from promises of deals or offers to emails that purport to be invoices or banking statements. Phishing assessments against employees have shown that as many as 60% to 90% of employees are susceptible to these attacks – effectively allowing an attacker to jump right over the traditional security controls so many organisations are still heavily investing in and relying on.
To combat this, practical employee security awareness training needs to happen frequently in addition to the traditional awareness training most organisations already use. Managed phishing assessments, for example, act as a ‘cyber fire-drill’ for employees, regularly exposing them to various realistic attacks but in a controlled environment – it isn’t unusual for clients to have 80% susceptibility the first assessment, but see a reduction to less than 10% after the second or third assessment.
Most organisations don’t see anywhere near that reduction in susceptibility from the traditional training they currently use. One of the interesting parts of these engagements is monitoring what users do when they do actually detect an attack, often the correct process to follow isn’t known. This brings in the second critical factor: process. When employees fail to report attacks to the correct business department, it results in a greater exposure than an organisation would have otherwise had.
Exposing employees to controlled attacks regularly not only teaches them how to spot them, but also hammers home the security process to follow – dramatically reducing the organisation’s exposure to attack.
Top five tips to reducing a hacker’s attack surface:
1) Do not rely solely on security technology
2)Teach employees to think before they click; not all security technology will stop these malicious emails getting through, therefore they must be vigilant
3) Get employees to recognise bogus emails and not click an un-trusted attachment or link
4) Carry out regular phishing assessments
5) Train staff in the proper process to report phishing emails and who to notify in case they clicked purposely or by error; ideally to be carried out within 15 minutes
When considering cyber security, there tends to be a greater emphasis on the latest technology or the latest programmes which are constantly evolving and updating. Amongst all the technology innovation, important areas that too often receive very little consideration are the people and processes that are actually imperative in every organisation. Disregarding these crucial elements when it comes to cyber security can prove dangerous in terms of increasing security threats, because when you take away the technology element, all that is left is to target people.
