April 2016 SAFE Newsletter
Cybersecurity Training Again, Seriously!?
When the yearly announcement is made to your employees that it’s time for annual cybersecurity training, it is inevitable that the following rumblings will ensue: “Ugh, again.”, “It’s so boring, the same thing every year.”, “What a waste of time.”. So does employee cybersecurity training do any good? The answer: It could. For one, organizations need to recognize that at the center of cybersecurity training is the recognition that we are trying to change human behavior. Changing behaviors like curiosity, loyalty, and routine, is difficult and takes time. But in this technologically driven world, where human behavior is leveraged to commit cyber-attacks, organizations must take an active role in changing employee behavior in an effort to protect the security of the corporations’ information and inevitably the existence of the business.
In 2015 CompTIA conducted a social experiment on a small population of 200 people, where they left a USB stick in an airport, coffee shop, or public square in Chicago, Cleveland, or Washington, D.C. Results, revealed that one in five people who encountered one of these random USB sticks, picked it up, and inserted into their computer, in some cases their work computer. They proceeded to click links and use email addresses on the drive with complete disregard for any possible viruses, malware, or potential security leaks. The one in five people included IT industry workers, who should be more aware and vigilant when it comes to protecting their personal or organization’s information. Furthermore, a small poll of 1,200 people, conducted by CompTIA1, revealed that 45% of employees do not receive cybersecurity training. So how do organizations start to change employee behavior toward cybersecurity?
One method is to focus on dynamic training. In essence making cyber-security training part of everyday life because it affects people personally and in the work-place. Dynamic training goes far beyond required mundane annual training and addresses current cybersecurity issues, how these issues effect individuals, and what every employee can do to contribute to the protection of the organization’s network, on a regular basis. Becoming part of a newsletter distribution list, allows readers to stay abreast of current cybersecurity issues; utilizing your internal corporate website to post current cybersecurity issues in small concise tips on a daily basis; and utilizing corporate email to target all employees with a daily information security tips are methods that can be used to begin to change human behavior when it comes to cybersecurity. Additionally, making dynamic training initiatives interesting, personal, and interactive will assist in changing human behavior because it creates a connection between the cybersecurity issues faced and the effect it has on each individual. When issues become personal there is a reason to change behavior to resolve the issue. Although, human behavior towards cybersecurity will not change overnight, instituting dynamic regular training will help begin the necessary shift.
1 Cyber Secure: a Look At Employee Cybersecurity Habits in the Workplace, A study commissioned by CompTIA.
Socializing Social Engineering
Currently, the most prevalent type of cyber-security attack utilizes social engineering to obtain access rights to a private network and then exploit those access rights to rake havoc on the entire system, whether it be unleashing malware, viruses, or immobilizing the network. One element to protecting the financial institution or firm from a cyber attack initiated by social engineering is to change the human response by teaching employees how to recognize these types of attacks. End user training, knowledge, and most importantly the implementation of that knowledge while conducting job duties becomes the financial institution or firm’s best asset in thwarting a social engineering attack. This is the reason why it is imperative to train users, not just once a year, but on a continuous basis so that employees can utilize the cursory knowledge learned in annual training and provide an effective form of network defense.
Information Security personnel, outside of annual training, can implement several continuous training methods to ensure that employees stay abreast of current social engineering attacks. For one, email alerts, from a trusted source, can be utilized to inform users of new social engineering attacks being used within the financial industry. Interactive internal contests can encourage participation in learning. Additionally, the IT department can simulate social engineering attacks to gauge whether employees are implementing the lessons learned from continuous training. Teaching employees to identify social engineering attacks is a good place to start when attempting to change human response to cybersecurity attacks.
At 3:00 P.M. on Friday afternoon Meesha, the CFO’s admin, receives an email from the CFO, John Mitchell, requesting that she transfers $30,000 from one account to another. This is not the first time she has received a request like this, however, the CFO usually sends them to her first thing in the morning because there is a process that must be completed before she is able to initiate the transfer. The email reads as follows:
From: John Mitchell
Sent: Friday, April 15, 2016 3:00 PM
To: Meesha Shafi <email@example.com>
Subject: Transfer Request
It is important that you make the following transfer by EOB Friday. Transfer $30,000 from Account 854720418 to the Best Bank Account 9482206781. It will be too late Monday morning. Have a nice weekend.
What action should Meesha take?
A. Skip over the process that is currently in place and get this transfer out before EOB.
B. Call the CFO directly and confirm the transfer.
C. Wait until Monday morning.
D. Delete the email and report it as a Social Engineering attack to the IT Dept.
Continuous cybersecurity training assists in changing human behavior to be more vigilent in warding off potential cyberattacks.