Security awareness is becoming an important issue for large and small organizations. As attacks become more sophisticated, many researchers are noting that the biggest risk to an organization’s data security is most often a lack of vigilance on the part of employees. The best security technologies are useless if the staff and management disclose information to the wrong people, or let themselves be taken in by phishing attacks and other forms of Spoofing. Many employees can’t identify unusual activity and thus fail to report it, and often a casual company culture surrounding security can lead to exposing sensitive information inadvertently.
Thus, it is crucial to implement a security awareness program to educate employees about protecting sensitive information; how to handle information security; and the risks of carelessness. Ensuring employees understand the consequences of mishandling sensitive information are ever more important as the amount of personal data held by private companies expands. Since consequences may include fines levied against the company, harm to the organization’s reputation, compromise of their own personal information, it is in every organization’s interest to provide the training and implement a security plan that raises security awareness and protects sensitive data.
Specific types of threats include:
- Phishing, where the attacker poses as a legitimate company online, by email, or by phone.
- Spear-Phishing, which are phishing attacks that target a particular group, usually by email.
- Executive Whaling, which is phishing that targets high-level executives.
- CEO Fraud in which the attacker spoofs the CEO’s email, for instance, while the CEO is traveling and the attacker requests that employees transfer large amounts of money or provide information. Know the Seniors’ Role in Cyber Security Risk Management
In addition, if your organization handles credit cards, in order for an organization to comply with the latest PCI DSS security requirements, a formal security awareness program must be in place. Merchant-based vulnerabilities can occur in many places along the card-handling process: at point-of-sale devices, Web shopping applications, paper-based storage, and in unsecured transmission of cardholder data. In addition, if data is used by systems operated by service providers, there is another huge vulnerability that opens up.
A good security system, with firewalls and good password processing, security certificates, and incident logging is important, but security awareness is necessary to educate employees and to keep them away from inadvertently responding to phishing and other types of attacks. Raising employee awareness is critical, and that is what a security awareness plan does for an organization.
Worst practices in organization’s security awareness
- Optimistic Inaction – Not many organizations admit to this as their “strategy” against the rise of phishing, but this probably belies a larger complacency. The assumption that nothing has happened, and therefore nothing will, is dangerous. Aberdeen Group states exactly how risky this can be. The analyst firm said that there is an 80% likelihood that breaches from user, and error will result in total costs of more than $2.5 million per year. This is not a survival cost for many companies.
- Casual (Break-Room) Training – Roughly one third of organizations choose the break room approach. They gather as many employees as they can in the break room, provide lunch and have an expert lecture on topics such as phishing, spear-phishing and whaling. While most of these efforts are significantly better than nothing, very often attendance is low and such events are not taken seriously. Measures of the effectiveness of this policy show it makes little to no difference.
- Video Training – These can include informal training with videos sent through email or posted on the website for employees to view, or they can take the form of a more formal version via mandatory classes. Videos educate users on the perils of careless clicking and on the many traps used by phishers to reel in employees. About one in four organizations opt for this method. This is proven to not be an effective method because it is superficial and easily ignored.
- Phishing Tests – This selects higher-risk employees and sends them simulated phishing emails to see how many fall victim to the attack. This is often paired with some kind of educational module which can include links to training for those who fall victim, as well as short videos to view to increase awareness. This method does offer some kind of metric about phishing – specifically, how many and which employees are susceptible to these attacks. However, employees soon get wise to it and “prairie dogging” begins to occur – an employee sees a phishing test email and pops his or her head up above the cubicle to let the others know to watch out for it. This approach, then, is both limited and too simplistic.
Best practices in the Organization Security Awareness
Create a Security Awareness Team:
High-up executives and IT managers must have a full understanding of the scale of the problem in order to be willing to dedicate enough time, resources and money to set up a proper training program. Once the scale, size, and real threat of the problem is understood on this level, comprehensive training programs may be established.
Companies must determine responsibilities for a security awareness team, which will establish minimum levels of security training, define safe practices of other employees, and implement these plans. This team will be able to provide other members of a company with varying levels of security training based on their job role – for example, there should be a minimum level of security training for all personnel, another level for specialized job roles (ones which include relatively unfettered access to card payment data, for example), and another level of management who may be responsible for imparting security practices to other employees.
Combine security training with random phishing emails and tests to create a comprehensive program. A key to effectiveness is to take full, not partial measures in education and follow-up activities.
Establish the Baseline Level of Phishing Susceptibility:
Security awareness training can be undermined due to the inability in measuring its impact. Start by establishing metrics by which you can judge the effectiveness of your educational programs.
Establishing a baseline and metrics allows you to know the percentage of users who open malicious emails prior to starting an awareness training campaign. Simply send out a simulated phishing email to a random sample of personnel to find out the number that is tricked into opening an attachment, click on a link or enter sensitive information. This metric can be repeated later, after your efforts, to determine how effective the campaign is.
Gain Executive and IT Buy-in:
Top executives and IT managers must be on board with any security awareness program. Elaborate briefings before and during a training program are a must. Briefings are needed to gain financial approval, but it should not end there. Prior to beginning a phishing simulation project, communicate to executives and iron out all political or sensitivity issues in advance.
This communication should include HR, Legal and union representatives where applicable. Otherwise, such campaigns may be unjustly accused of targeting specific employees, undermining morale or discriminating against certain groups. Only by keeping all interested parties involved, listening to their concerns and addressing their needs can such a campaign hope to succeed and to not cause unrelated issues.
Another aspect of this best practice is to inform executives about baseline phishing numbers so they are more aware of the extent of the problem and the uphill task facing the organization. Return to this baseline again and again as a means of monitoring results. Showcase all drops in phishing effectiveness as a way to demonstrate (and also to determine) the value of the program.
Conduct Random-Random Phishing Attacks:
Earlier, we noted that when your phishing tests become routine or predictable, employees come to expect them and prepare for them. This can even make it appear that an organization’s phishing susceptibility is much less than its reality. Employees get used to the routine, learn to identify them, and then carry on as normal. Proof-point, the cyber security experts, ran a study in which they found that no company had a zero click rate of phishing attacks. Checkout this Symantec’s phishing quiz which can help your employees to understand better. Most of the errors were made by repeat clickers, but 40% of clicks, they found are one-off clickers. Even the most careful employees may accidentally click on something malicious from time to time.
An alternative to simple click-bait tests are random-random simulated phishing attacks. Using this method, simulations are sent to random groups, on random schedules, using random phishing templates to make the attack appear more realistic.
Personalized emails are more believable, which is why attackers spoof existing, legitimate emails rather than making up their own. One way to challenge your employees is to obtain bank names used by your employees from payroll, and uses that bank’s name in a simulated phishing campaign. This kind of approach is very effective at raising consciousness.
Continue your simulated phishing tests to ensure that your employees stay alert.
Well-developed a Training Program Training:
should be interactive. It should balance theory and application, be up to date, and it should be based on thorough knowledge of the current state of cyber security. If you can incorporate the assistance of an expert hacker or social engineer who knows all the ways of entering an organization and all the tricks of the phishing trends, he or she can be an effective eye-opener. Training should elaborate the mechanisms of spam, phishing, spear-phishing, malware, ransomware and social engineering, and should explain how to apply this knowledge on a daily basis.
Types of content to be used in security awareness training
Security awareness and training materials may be developed in-house, adapted from a professional organization’s work, or purchased from a vendor. Content may need to be adapted to your training methods and channels – which themselves should be matched to the audience receiving the training content. By focusing the material on the audience, and by using the appropriate communications channels for the personnel you are targeting, you can be far more effective than if you tried to provide the same training to everyone, regardless of role.
Vendors can provide prepared materials such as computer-based training (CBT), posters, and newsletters. Some materials may be found online for free. The following links may help you develop a Security Awareness Program:
- National Institute of Standards and Technology (NIST) Special Publication 800-50, Building an Information Technology Security Awareness and Training Program, www.nist.gov
- International Standards Organization (ISO) 27002:2013, Information technology — Security techniques — Code of practice for information security controls, http://www.iso.org/iso/catalogue_detail?csnumber=54533
- International Standards Organization (ISO) 27001:2013, Information technology — Security techniques — Information security management systems, http://www.iso.org/iso/catalogue_detail?csnumber=54534
Below is an example of content that is commonly included in the general security awareness training:
- Organization’s Security awareness policy
- Impact of unauthorized access (for example: to systems or facilities)
- Awareness of CHD (card holder data) security requirements for different payment environments
- Card present environments
- Card-not-present environments
- Phone (individual or call center)
- Online (eCommerce)
- Importance of strong passwords and password controls
- Secure e-mail practices
- Secure practices for working remotely
- Avoiding malicious software – viruses, spyware, adware, etc.
- Secure browsing practices
- Mobile device security, including BYOD
- Secure use of social media
- How to report a potential security incident and who to report it to Protecting against social engineering attacks
- In Person – Physical Access
- Phone – Caller ID Spoofing
- E-mail – Phishing, Spear Phishing – E-mail Address Spoofing
- Instant Messaging
- Physical security
- Shoulder Surfing
- Dumpster Diving
- From where, you can get further information on protecting CHD (card holder data) in the organization (for example, security officer, management).
Checklists to be considered in security awareness program
The Security Standards Council identifies three main areas of focus for security awareness programs:
Creating the Security Awareness Program
- Determine compliance or audit standards.
- Establish security awareness requirements for those standards.
- Select organizational goals, risks, and security policy.
- Identify stakeholders and obtain support.
- Create a security awareness baseline.
- Establish scope for the security awareness training program with a project charter.
- Create steering for planning, executing and maintaining the program.
- Identify who you will be targeting – different roles may require different/additional training (employees, IT personnel, developers, senior leadership).
- Identify what you will communicate to the different groups (goal is most limited training possible that has the greatest impact).
- Select how you will communicate the content, between three categories of training: new, annual, and ongoing.
Implementing Security Awareness
- Develop content to meet requirements identified in program creation.
- Document how and when you plan to measure the effectiveness of the program.
- Implement tracking mechanisms to record who has completed training.
Sustaining Security Awareness
- Set up regular intervals to review your awareness program each year.
- Identify new or changing threats or compliance standards and updates needed; update annually.
- Conduct assessments of organization security awareness compared to baseline.
- Survey staff for feedback (usefulness, effectiveness, ease of understanding, ease of implementation, recommended changes, accessibility).
- Maintain management commitment to supporting, endorsing and promoting the program.
Threats against data security are ever evolving and changing. As much as we may want it to be, maintaining security is not a passive process, even with the best available technology. Security awareness training must be consistent, up to date, and targeted to different employees based on job role and susceptibility. If this is accomplished, with the right content, and proper communication throughout the organization, a well informed and aware staff can stave off most of the threats to security that exist. Let your employees updated with latest cyber security news by subscribing below.