Address the number-one risk to your organization with a security awareness program

The Crux of Security: The End-User

Ask ten information security professionals what the strongest point of their information security program is, and there will likely be ten different answers. Ask them what the weakest point in their program is and you should only get one answer: the end-user.

Security professionals have access to a slew of technology tools to battle threats with. We have security information and event management (SIEM), solutions for log analysis and event correlation, firewalls to block unwanted traffic from your network, network intrusion detection systems for people who can get past your perimeter protection, and the list goes on. However, all those devices and technologies mean nothing if Quinn in shipping receives a nefarious email, which is crafted to appear official, and clicks the contained link. This works on Quinn, and an alarming number of users, because those users are not taught about their role in security.

Users are the number-one target of cybercriminals because users are easier to compromise than systems. 91% of cyber-attacks start with spear-phishing while 92.4% of malware is delivered via email attachments. A specially crafted email can look like it came from your IT department and the average user will be none the wiser. Cybercriminals have no shortage of tools (such as Gophish, LUCY, and King Phisher) or material to craft nefarious emails.

How the End-User is Exploited

The COVID-19 pandemic is something our generation has never seen. Many governments have pledged financial support for those who have been affected by the pandemic. This pledge provides additional opportunities for cybercriminals to leverage phishing emails. Hackers can use any of the tools mentioned above to craft an email that appears to be from a US Government agency. The email will ask for bank account information so that a COVID-19 stimulus deposit can be made. What criminals gather through these emails is your bank routing and account number. With this information, there are additional tools and paysites they can leverage to empty the bank account. It seems silly until you realize cybercriminals are doing this because it takes minimal effort. They can craft a single email and send it to hundreds of thousands of email accounts using a few scripts. If you get five people to take the bait, the scam is more than worth the time. While some phishing emails target bank account information, others target account credentials.

Account credentials are critical because users are known to reuse passwords. Depending on the study you reference, somewhere between 70% to 85% of users reuse passwords. So when a user falls prey to a phishing scam that gathers credential information, there’s a 70% to 85% chance a hacker can compromise another one of the users’ accounts. In addition to reusing passwords, many users have a single email account that they use to register for all other accounts (e.g., bank account, retail accounts, utility accounts, etc.). The reuse of passwords combined with a single email address used for additional accounts increases the attack space and the risk to security.

Another risk related to users is overall physical awareness. Many companies sponsor outings which consist of happy hours, dinners, or activities such as miniature golf or sporting events. Since becoming a consultant, I’ve been on countless company outings and one thing employees like to do at these outings is talk about work. I’ve witnessed firsthand and, ashamedly, joined some of these work discussions. The problem is these outings are typically in public places where there could potentially be an eavesdropper looking for any information that can help them surveil a target. Sometimes information shared at these events can lead to a direct circumvention of security controls. To combat the multiple risks associated with the end-user every company should implement a security awareness program.

Combating the Threats

A security awareness program is a formal program to educate users of potential threats to an organization’s information. Users are informed of threats then provided the knowledge and skills required to mitigate each threat. There is no one-size-fits-all security awareness program as each business has unique security needs.

Users in the financial sector will have a different set of security concerns than users in the energy sector. Users in the financial sector host bank account information, personally identifiable information, and have financial regulatory requirements to meet. In the energy sector, users are charged with keeping information about the US Power Grid safe and have Federal Energy Regulatory Commission, and North American Electric Reliability Corporation regulations and compliance to meet. Their security programs should not be identical.

A security awareness program is also about more than training modules.

It consists of quarterly awareness campaigns designed to keep users abreast of the latest data breaches and what companies are doing to combat cybercriminals. It is information security posters being placed in strategic employee gathering spots that they will be seen, read, and discussed. It is the CEO sending out an occasional email or adding a blurb in their “state of the company” message about information security. It is a repeatable capability that empowers your users in an effective manner. The benefits of security awareness programs are very observable.

According to KnowBe4 survey, respondents reported that hacks like phishing scams and malware declined significantly from a success rate of 40% — 50% to 0–5% success rate after participating in a mature security awareness program. 64% of corporations say security awareness training helps their businesses identify and thwart hacks immediately upon deployment. Security awareness programs also decrease overall security risks and educate employees on the danger posed by cybersecurity scams, according to 86% of corporations. (KnowBe4 Report).

The only way to decrease the number-one risk to your organization — the end-user — is with a security awareness program. This program directly benefits the end-user by providing education and skills required to understand how to address risks like cyber-attacks and social engineering. The program will also inform users of the risks of passwords and how to approach situations outside of the office to decrease the risk of information loss. To increase the chances of your company NOT being a data breach headline, you should assure you have a fully functioning Security Awareness Program in place.