May 11, 2016 by Jeff Bernstein
T&M Protection Resources' Managing Director, Jeff Bernstein, Shares Why Your People Should Be Priority When it Comes to Securing Your Organization:
I’ve worked within the information security industry for over seventeen years and can confidently say that when it comes to information security programs and risk reduction there is one data point that everyone that I meet seems to agree on: more often than not people are the weakest link in an organization's information security posture.
The vast majority of information security breaches are caused by end-users doing something that they shouldn't do like clicking a malicious link in an email message, opening an infected email attachment, using weak passwords, losing laptops or phones or being tricked into giving up their credentials through social engineering attacks. It’s absolutely true and in fact, most security industry data now estimates that over 80% of all of successful data thefts begin with an end-user doing something that they shouldn't do.
Social engineering is the manipulation of people into performing actions or divulging confidential information. Social engineering exploits are utilized by attackers for the purpose of information gathering, perpetrating fraud, gaining system access, stealing sensitive data, intellectual property or dollars. I work at T&M Protection Resources where we provide post-breach forensics investigations. Cases that we investigate include simple website defacements, sophisticated thefts of large amounts of data and sums of money via multi-national organized crime rings, denial of service (DoS) attacks and everything in between. Based on our firm’s unique experience, I can tell you first hand that more often than not a human error is the root cause of most successful breaches that we investigate. Because of this, companies that fail to properly train their personnel to accurately recognize and respond to security threats are only asking for trouble.
As awareness of the threat grows our firm is being asked more and more often to include Phishing and other social engineering studies as a component of our information security assurance testing programs. We sometimes come out of these exercises with a 50% or more conversion rate. "Conversion" meaning that we tricked an end-user into doing something that they should not have done like clicking on a malicious link, entering a user name and password, opening a malicious attachment and the like. When we deliver our results the first question that the clients always ask is "what can we do to fix this problem?" The single best answer to this question is to train internal personnel on security awareness matters. When done correctly, security awareness training is HIGHLY effective in mitigating the threat posed by people and the human element.
Security awareness training programs should include useful information relating to the latest security threats (phishing, smishing, etc.). Effective training programs should also include content specific to the company's security policies and procedures. This should typically include social media, acceptable use, data retention, and bring your own device policies when applicable. During the training program each employee should also be asked to read and accept company policies relating to acceptable usage which puts each employee on notice that they must be vigilant about security in the workplace.
The spirit and overarching theme of any security awareness training program should be that security is the responsibility of everyone in the workplace and that everyone needs to remain vigilant when it comes to recognizing and properly responding to information security threats.
Training should be enhanced with creative tests or studies that measure personnel awareness (email phishing studies, pretext calling, trojan snail-mailings, etc). Testing with frequency matures personnel end-users from a security awareness perspective and also allows the company to gauge retention of the information presented throughout the training curriculum. Testing also allows the organization to gauge improvement in security posture as it relates to security awareness of personnel. Risk reduction now becomes clearly quantifiable. Proper documentation of results over time is meaningful for management, audit and other purposes as it accurately shows where the awareness-related security posture has been, where is it at any given time and in what direction it is progressing. Security managed in this way becomes an enabler to the success of any business.
Achieving absolute security in the enterprise is simply impossible. Improving security usually costs money, capabilities, time, ease of use, civil liberties and more. Many organizations also lack internal resources, expertise, infrastructure and budgeting to deliver effective awareness training programs to their staff. The most effective compensating control to mitigate the most prevalent information security threat (the human element) to the workplace is security awareness training along with regular testing.
What we typically recommend for our clients is that all staff members attend a yearly training course at a minimum. This can take place in person or online depending on the client's preference. For many companies employees work across numerous geographies and because of this it is hard to assemble personnel in live sessions. It is also difficult to measure content retention when dealing with large live audiences. For this reason, many of our clients are choosing online training which is highly effective. Online training also provides a better platform to measure progress and generate reports that can be used internally for compliance and audit purposes. Online training should be highly interactive and not something that can simply be clicked-thru. In additional to the yearly module, we also recommend that our clients deliver an abridged security awareness training primer to new employees as they are hired. This gives new employees an immediate lesson on awareness and also spells out exactly what is expected from them security-wise during their on-boarding. Testing throughout the training module should also be included. This ensures that the lesson's content is being retained by the end-user.
For more information on security awareness training products visit: http://www.globallearningsystems.com/products/security-awareness-training/
About Jeff Bernstein
Jeffrey Bernstein is the Managing Director of T&M Protection Resources (T&M) and has worked within the information security industry for over seventeen years. T&M Protection Resources has been providing a growing portfolio of seamlessly integrated security and intelligence services to leading businesses, financial organizations, investment management firms, corporations, academic institutions and private client since 1981.