Users are the target: How employees can be the strongest line of defense

One might think that stopping malware, phishing, and a whole
host of email-borne attacks was akin to stopping rain during a hurricane or
snow during a blizzard. It is ubiquitous and relentless. And despite promising
advances in technology, so much malware still gets through cyberdefenses that
the proverbial last line of defense, the end user, is often also the first line
of defense. But while no one can stop the weather, there might be some hope of
at least reducing the damage of malware.

Despite the inevitable human failing when it comes to
clicking on email-based attacks, the human defense is getting stronger. A
variety of approaches to user education and training are the key, according to
practitioners and experts.

Take, as an example, the robust measures implemented by
David W. Loewy, CISO at the State University of New York’s (SUNY) Downstate
Medical Center in Brooklyn. The fourth largest employer in the city, SUNY’s Downstate
operation combines education and a pure research facility, Loewy says. It is
the location where Viagra was conceived, as well as the first heart-lung bypass
machine. It also houses a large hospital.

Taken together, Downstate is a major target of attackers,
chock full of patient and worker personally identifiable information (PII), as
well as valuable intellectual property. “Since it is easier to steal research
than to perform it, we get hit at least 50 times a day just by the Chinese,”
says Loewy.

But Loewy does not assume the bad guys will succeed. In
fact, he has crafted very aggressive program to inform and involve end users in
order to keep attackers at bay.

“Right now, we have about 8,500 email addresses, including
our students, so it was critically important to put together a program so
everyone understands how vulnerable we are and how to really be on guard,”
Loewy explains.  With as many as
one-third of malicious emails containing either viruses or malware, even with
the best defense software, “we can catch some, but that leaves the rest.”

Loewy says he has learned that everyone in the organization
must understand how critical their job is. Citing multiple industry studies, he
says the click rate — the frequency with which users willingly “click” on
questionable links — stands at approximately 35 percent, varying somewhat
between different studies.  Nearly as
many users, on average, not only click but provide credentials as well.  “We got one recently that claimed to be from
LinkedIn and said the credentials were needed to update a profile page,” Loewy
adds. An estimated 17 percent of individuals will fall for that particular
request, he notes.

However, thanks to Downstate’s ongoing education programs,
that rate is down to approximately seven percent, he says. And the rate of
clicking on suspicious links is also down in the single digits.

What’s the secret? 
“My program is called You are a Target; we try emphasize what’s in it
for the individual,” he says. Monthly emails go out with updates, reminders,
and information on the latest scams — and the emphasis is not only on helping
Downstate but on keeping the individuals safe in their personal and family
emails.  At least once a year, everyone
in the organization is required to sit in front of a live presenter — often
Loewy himself — who will tell them what to look for to avoid phishing and
malware.

“When I am in front of people, I say: `This isn’t the last
time you’ll see me.’ We try to stay in people’s faces all the time so it
doesn’t go to the back of their brains,” Loewy adds. “We even post reminders in
the restrooms!”

Loewy also operates a consistent, ongoing phishing program
of his own. “We phish everyone,” he says. Those who take the bait get
identified — except for union members who just get directed to an anonymous
online training exercise.  But others,
the non-union staff, can face reminders or worse if they become repeat
offenders.

At Travelers, the New York City-based insurance giant, there
is a similar focus on training, according to Kirstin Simonson, the company’s
global technology cyber lead based in the Minneapolis area. “The more employees
understand the risks, how to avoid them, and what to do if something happens
that may put the company at risk, the better prepared the employer will be to
manage and respond to an incident,” she says.

Human behavior continues to play a role in data breaches and
network events, she notes.  Yet, too few
organizations take the situation seriously. “We’re seeing that many businesses
are not training their employees on this,” Simonson says. In fact, in the most
recent Travelers Risk Index, only 54 percent of the more than 1,200 companies
surveyed said they had staff training or testing on computer and data security
and only about half of respondents had written IT/security policies and
procedures in place, Simonson adds.

Understanding that human element is a good place to start.
Jason I. Hong, a professor the Carnegie-Mellon School of Computer Science, and
head of Human Computer Interaction Institute, says, “We have done a lot of
behavioral studies on end users; when we started in 2005 there was a question
as whether training could work at all.”

In fact, he says, it was a mixed verdict. Training can help
but phishing and malware authors are getting cleverer every year. That is why
human gullibility still figures prominently in the Verizon Data Breach report
and similar studies from Microsoft.

“And, that is why the human element is still really
important,” he says.

Recognizing that fact, Kayne McGladrey, director of security
and information technology at Pensar Development, an engineering consultancy in
Seattle, says continuously phishing end users is the best way to help them
identify phishing and other potentially malicious content. “This continuous
exposure [to phishing] should take a variety of forms, from email-based
phishing to direct messages on social media.”

Educational programs

McGladrey says short, actionable, culturally relevant
education initiatives on a regular schedule are recommended because “users
don’t want to sleep through the mandatory ‘October is cybersecurity month,’
two-hour, PowerPoint presentations.”

Training modules should be short — five minutes or less —
and sent out regularly. If possible, they should be tailored to an individual’s
role in the organization, so that the finance department is receiving training
about business email compromise (BEC) and identity validation procedures rather
than the latest zero-day exploits, he says.

Finally, he says, the training should be appropriate for the
organizational culture; the training that works for a Fortune 500 company looks
very different from that for a 10-person services firm.”

Additionally, user security awareness training should not
start with “How to spot phishing emails;” it should start “with educating users
on why security awareness matters,” and explaining who the potential attackers
are, according to Roselle Safran, president of Rosint Labs, a cybersecurity
consultancy and the cybersecurity operations branch chief in the Obama White
House.

“There are two words that come to mind when I consider what
works best: consistency and relevance,” says Kathleen Hyde, chair of
cybersecurity programs at Champlain College Online. Consistency, she explains,
refers to organizations actively engaging in ongoing education, training, and
testing programs for employees. Consistency also means end users developing and
utilizing so-called best practices not just when they are being monitored, but
each time they use a device that is connected to the Internet.

The second word — relevance — “has to do primarily with end
users,” Hyde says. “If they can see the impact their actions will have on them
personally and professionally,” there is a greater likelihood they will slow
down and take the time to read through an email to determine whether it is part
of a phishing campaign or an attachment that could contain malware, she
explains. In other words, education, means using real-world examples to
demonstrate how simple missteps can result in consequences that range from the
need to change a password to financial ruin.

Of course, the approach must vary by industry and company
size, but the biggest variable is available resources. “If an organization
views education to prevent the potential losses associated with phishing and
malware as an investment, resources will be allocated, regardless of an
organization’s size or industry,” she says.

On the other hand, if an organization has not experienced a
loss, or perhaps does not realize that it has experienced a loss, had an event
that disrupted operations, or is not required to take action to maintain
regulatory compliance, the resources needed to fund and support security
efforts probably will not be made available.

“In my experience, larger organizations are more likely to
make this investment,” says Hyde. Smaller organizations, while cognizant of the
need for education and the ramifications of not educating employees, often want
to provide training and even perform testing, “but don’t know where to start.”  Further, the resources might only be available
for a training or a campaign, but not an ongoing effort.

Testing and validation are important, she notes, but it is
wise to start with data. “Testing employees prior to providing training is best
because then an organization will have a starting point or baseline,” she says.
Further testing should follow training.

Periodic phishing campaigns, like those conducted at
Downstate, can help identify gaps, “especially when new threats become known or
new employees are hired,” Hyde adds. Like education, testing and validation
must be ongoing and not just take place when an organization needs to check a
box because there is going to be an audit.

Simonson concurs on the importance of testing. Measuring the
effectiveness of training and sharing results of these exercises with employees
is also important. “Share the pass rate and some key concepts post-exercise,”
she urges. And, as unpopular as the topic might be, Hyde says, when education
fails, “risk management may mean reduction in the workforce.”

Technological tools

Technological assistance is another area in cybersecurity
where organizations need to look through the proverbial fog. There are more
phishing simulators, training technologies, and marketing hype about
automation, optimization, and artificial intelligence than ever before,
McGladrey says. He believes the best way to choose a tool is to create a focus
group within the organization, including cultural leaders and technical
experts.

“They should work to select two or three vendors and review
the training and phishing options available and determine how well those would
be received by the larger organization,” McGladrey adds. And, he notes,
internal phishing campaigns should be coupled with an automated way for users
to report phishing to a security analyst or security operations center.

Additionally, Hyde recommends some common-sense ideas for
reducing risk. For example, aside from the obvious, such as filtering all
incoming email, Hyde advises using monitoring to discourage the use of corporate
email resources for personal use at work. “Suggest employees use online email
services, like Gmail, for their personal accounts so that those emails are
automatically filtered and the risk of infection from malware is reduced,” she
says.

Lastly, adds Simonson, do not forget to think about the
vendors and service organizations that come onto the property. Are they being
vetted or trained to ensure they understand how to aid in managing the network
and information security assets of the company?

According to the Travelers Risk Index, only 37 percent of
businesses surveyed said that they have conducted a cyber assessment for
vendors who have access to the company’s data. “It’s an important
consideration,” Simonson says.

And, if you really want to get employees “on board” Brian
Gill, chairman of Gillware Data Recovery, suggests taking things up a notch.
One of the best ways to capture your employee’s attention is by incentivizing
training and practice, he says. There are three incentives that motivate most employees
— money, time off work, and free food. “With a combination of all three, you
can create a captivating training experience,” he says.

For example, he says, you could try hosting a half-day event
with catered food, where employees get the other half of the day off as an
incentive for being in attendance. Beyond the actual training experience, you
can continue rewarding employees for implementing what they learned. “An
example of this could be employees who change their password every 90 days
without you having to ask them will receive a gift card or a free lunch,” he
adds. And yes, that kind of free lunch might just get people’s attention.

There is speculation regarding the potential to “automate
people out of the process,” Hong says. “That is actually a good strategy if you
can do it reliably; if you are certain that something is a scam, you should
block it.” However, that is only a part of the picture. Big Fortune-type
companies that can afford the most advanced security, still have breaches and
they are still struggling. “Then there is the long tail of thousands of SMBs
and mom-and-pop companies that can’t afford that kind of security; they will
have even more of a struggle,” he says.

Thus, with no clear malware cure-all on the near horizon or
even years out, training must remain a key area for investment, he adds.

Comments are closed.