Speak to any security professional and they’ll most likely agree with you that awareness is an integral and essential part of your overall security framework and strategy. Awareness is a key component when factoring in what is considered to harbour the highest element of risk to an organisation, and it’s associated management team. The real question here is how do you define and measure awareness, whilst ensuring it’s overall effectiveness ?
How effective is the training ?
Viewing is one thing, but understanding is another. Raising awareness only works if it is aligned with and understood by the intended audience. Instead of focusing purely on the dangers to the organisation that the users are effectively employed by, those in security functions should consider adopting an alternative approach – one that will engage the user, and make them want to read the content. Setting questions at the end of the material does not prove that your users will walk away with a complete understanding of how real world information security threats such as ransomware, malware, phishing, smishing, vishing, and the risks they pose – it just means that they may have paid attention for the duration of the training, and afterwards, will disregard it completely. Sorry if I’ve poured water on the bonfire here, but this is reality.
Here’s a paradigm – the financial industry requires employees to take regular compliance training, typically with a list of questions at the end of the session. If your users work in compliance, then they are fully aware of the risks, understand the criteria, and will apply it and ensure it’s effectiveness at all times. Those outside of the compliance field will not remember what they have learned, as they do not require this information on a daily basis - and more to the point, do they really care?
The same fundamental basis applies to security awareness training. This is where exercises such as these can easily become a double-edged sword – you can satisfy the criteria by making the training a mandatory requirement and a contractual obligation on the employee, but you really need to question it’s effectiveness in relation to whether your organisation’s exposure to risk has been lowered by enforcing this.
How can you increase effectiveness ?
Scams are becoming increasing complex in their design, structure, and delivery. They won’t all look like this one courtesy of Habitu8, who have gone the extra mile in creating amusing security videos to break the “normal” mantra.
The important points to remember here are that most users these days have Social Media and LinkedIn accounts, and spend a significant amount of time sharing information. Organisations often make it part of their IT policy that no information in relation to their employer is to be given on social media without prior consent – and even then, this information should only be presented via official channels such as a Twitter account in the organisation’s name that is closely monitored. However, seeing as employees of an organisation have LinkedIn accounts they use for business purposes, it is not too difficult for a cyber criminal to be able to link this account with the same social media (for example, Twitter, Facebook, etc.) persona.
Using simple information gathering techniques, criminals can gain an extensive amount of intelligence about a potential target, and what isn’t available on LinkedIn is usually available on Facebook. By this, I am referring to Personally Identifiable Information, such as date of birth, and mother’s maiden name.
Awareness training should be tailored to the individual or group that you are looking to target. Taking a set of base templates with a “one size fits all” coverage is an insufficient approach that only addresses the blatantly obvious. CEO whaling is a realistic threat to any organisation at senior management level, and without the required awareness campaigns executed on a sufficiently frequent basis, your organisation continues to be exposed to unprecedented risk. Within a very short space of time, corporate whaling has risen dramatically, and you need to be reminiscent of the fact that cyber criminals often have the names and details of senior executives within your organisation, and who they should target - most of this information is in fact in the public domain.
Getting hold of this information from an attacker’s perspective is not difficult at all. If I were to do this, the first thing I would go for is the director’s biography page which can be found on the corporate website in most cases. I would then perform a cursory search on LinkedIn to see what other information was up for grabs. The great (ok, not so great..) thing about LinkedIn is it’s ability to provide a list of other profiles people have looked at, and this often provides further insight to other employees in the organisation, and what their roles are - essentially providing the ability to link two individuals together and impersonate one of them to make the campaign all the more realistic.
Using this information, a cyber criminal can take months to research an organisation, then create a campaign that is highly likely to succeed given the amount of intelligence available. Such campaigns often spawn carefully crafted fake emails from senior executives to other financial staff requesting an emergency payment to be made to a third party. The fake email typically attempts to throw the recipient off the scent by informing them that the sender is in a meeting, and cannot be disturbed. As the email appears to originate from a senior executive, the transaction request is unlikely to be called into question, and could well proceed given the right circumstances.
Survey your users to assess awareness
If you asked your users to take part in an anonymous survey requesting them to verify the authenticity of a sample phishing email, you’d probably be surprised at the sheer volume of people who would consider it legitimate, and even worse, would carry out the instruction, enter data into a fake portal, or click a link taking them to a malicious website where the potential for further interaction in the form of a Malware infection has a very high probability. To raise awareness effectively, you have to gain an understanding of your user’s habits. I’m not talking about if they eat biscuits in bed here, but I am referring to their digital footprints.
There isn’t a psychological element to this, but understanding behavioural patterns is a key driver in deciding which type of training your particular audience may require. What is obvious to one user is not to another – an example of this could be a deal from a well known brand with an “amazing offer” that is simply to good an opportunity to pass on. Some users may exercise caution and question it’s authenticity – even to the point of checking if it really exists using a variety of tests, whilst others may not be able to resist the allure this offer presents, and proceed with clicking the link.
- Ensure that your awareness campaigns are a continuous cycle. Performing them once a year to satisfy audit or regulatory requirements is not enough. A tick in the box is not going to reduce your exposure to risk.
- Instead of relying on a “one size fits all” awareness campaign, craft your own training in the form of fake emails (obviously, without the malicious content). Should your users click the link, direct them to an information page detailing what could have happened if this was a real attempt, record the statistics, and then engage with those users with a view to further training.
- Craft awareness campaigns based on real world events. Campaigns crafted in this manner can easily have users clicking links, and creates a perfect platform for awareness training. A great example would be the recent Marriott / SPG breach that affected 500m users - there’s a very high chance that some of your users have an account…
- Using gap analysis, identify weaknesses within your user base, and take active measures to ensure that the right level of training is given to those who truly need it. Simply issuing an email after a campaign detailing how many users clicked a particular link in an email is goes nothing for remediation,. Without addressing the deficit, you do not stand to gain anything, and neither do the people you are effectively targeting.
- Provide regular updates to users relating to the latest scams, threats, and real situations where other organisations have been caught out. Real situations carry much more weight and influence, as the threat then becomes very real.
There’s much more to this of course - this really is just the beginning.