Humans are often described as the weakest link in an organization’s security posture, and we frequently see ‘human error’ as a reason why an attacker has been able to breach an organization’s network. The human error that causes such attacks may be through phishing emails when cybercriminals send large numbers of targeted malicious messages to an employee which are disguised as coming from a trusted source. An employee only has to click on a malicious link once in an email that looks genuine for a potentially catastrophic security incident to take place that could then cost millions of pounds.
While attackers continue to improve their abilities to create successful social engineering techniques to deceive their victims through methods like phishing attacks, many organizations still focus on Security Awareness Training as a tick-box exercise to teach their employees about email security. In reality, employees can be part of a solution that protects the company from cyber-attacks, rather than the source of the problem.
How should organizations be approaching Security Awareness Training (SAT)?
Security Awareness Training (SAT) on the whole is a great best practice to have within all organizations and can serve to increase awareness of the threats posed to businesses through channels such as email, especially with phishing attacks remaining so prevalent. Training should be an ongoing activity, yet in reality it is conducted 2-3 times a year to meet regulatory requirements. However, this approach to SAT is not enough to make a real impact. This means that it doesn’t necessarily matter how often the training is conducted if it isn’t actually working to prevent successful phishing attacks.
Typically, after conducting phishing-based SAT employees will report even more suspicious emails than before, resulting in an increase in false positives for the security teams to wade through. While this places an immediate pressure on the security team, over time the learnings from the training will fade from the employees’ minds as they focus on their core job responsibilities, which is when rogue phishing emails can then slip through the net. This is why SAT in isolation is not sufficient and it needs to be woven into the day-to-day activities of the team, without it being considered a burden.
How should organizations assess and train for security awareness?
The balance between the need for training versus practicality is important to consider. SAT is largely driven by regulatory requirements, it’s an obligation and viewed as a tick-box activity that will help the organization achieve the rubber stamp of approval it needs to comply with any number of security mandates. And then that is likely to be it for the next 12 months until it is audit time again. This approach is not driving a practical attitude to security, which is often why businesses can still fall victim to security threats even when they have met all of the certifications.
Security is so much more than just having a certain suite of products on a checklist provided by a regulatory body. It is about utilizing those resources effectively and engaging every employee within the business to build up those defenses from the inside. There needs to be a change in mindset so that security is not seen as a tick-box activity but is given the strategic focus that is truly required to make a business secure.
Would a crowdsourced method be a more effective way to approach SAT?
Unfortunately SAT has a reputation for being one of those terms that makes all employees groan out loud as it usually means the ominous prospect of another long training session where they’ll be dictated to as to what good and bad security looks like. This is neither engaging or inspiring and places all of the onus on the employees.
To ensure SAT really has an impact, and subsequently the effectiveness of the organization’s security, businesses need to reinforce the training by empowering their employees to make decisions without the baton being automatically passed onto the overwhelmed security teams. This is why the crowd-sourced user detection approach is the way forward as it makes the employees part of the solution.
For example, it is now possible to give the employees the tools to get visibility of phishing indicators within the email payload. This approach encourages them to scan any suspicious emails they see at the push of a button via an email extension. They will then clearly see within seconds if the email is a threat or not and, if so, this intelligence can then be pushed through to the rest of the network to improve the business’ overall threat detection capabilities.
Unlike being trained on artificial phishing emails, this approach will help train them on a continuous basis to identify potential risky emails, increase productivity and reduces the risk of them seeing reporting an email to the security team as a burden and skipping the step altogether, which could result in a potentially devastating incident. To put it simply, engage employees to do the initial analysis of suspicious messages rather than blindly forward them along to the security operations team or IT helpdesk.
How can organizations emphasize the importance of engaging with SAT to employees, including the executives?
Again, this will come down to leading by example and, crucially, positioning SAT not as a burden that is being enforced upon them but as something that they are actively contributing to. Security is not within everyone’s job description, and therefore many won’t see it as being their responsibility. After all, isn’t that why the executive team looks to hire expert security teams and buy all the latest products on the market? So, the non-cyber security employees don’t have to deal with it? Combine this with the fact that historically SAT has always positioned employees as being the problem, which led to organizations inadvertently creating a level of fear in employees, resulting in either a lack of engagement or leading the employees reporting every email that they receive as being a threat, and it is no surprise that SAT hasn’t always resonated.
Instead, there needs to be a culture of collaboration, communication and support fostered within the organization. It is up to the business leaders to provide employees with help when they need it and to be seen to be driving a proactive approach to mitigating the risks posed by phishing emails.
Ultimately, you cannot force anyone to engage in SAT, instead it is about changing the mindset within the organization and across all job roles and departments so that all employees see themselves as playing an important role in the process and keeping the business secure.
The hackers may be increasing their skill levels in producing highly targeted phishing and Business Email Compromise (BEC) emails, but so too are organizations improving in their ability to combat these threats. By leverage SAT to adopt a crowd-sourced approach to analyzing suspicious messages, allowing employees at any level can quickly at the press of a button establish whether an email is legitimate or not, it means that different types of SAT programs don’t need to be developed depending on the job role. It also benefits the business by ensuring that if a phishing email is correctly identified, this information is shared across the business and the appropriate remediation measures are automatically implemented, relieving the security team of manually executing the incident response playbook. This ongoing approach to security training is proven to have greater success and is a more proactive and practical approach to keeping organizations secure from the threats posed by malicious emails.
How do organizations move forward from here?
Every organization should be aware that implementing employee training by itself will not close the gap in detection and remediation that all organizations need to limit the possibility of cyberattacks. Instead, organizations need to consider how this activity can be built into their overall security solutions and contribute to the business strategy. With cybercriminals becoming savvier in how they conduct phishing attacks – through applications like WhatsApp and SMS – organizations need to implement automated security to detect and remediate phishing, BEC and malware threats that have already infiltrated the network. Crowdsourced user detection can assist in the continuous monitoring and detection of defenses, as well as automated response and remediation. In order to combat the cybercriminals who are constantly looking to infiltrate a network through phishing attacks, security strategies need to become agile and businesses need to be able to adapt their approach according to the paths taken by the threat actors.
Lior Kohavi, Chief Strategy Officer, Cyren