by Gary Audin
Cybercriminals increasingly target users rather than infrastructure. You train your users about cyber security. You may test them. Do consider that a passing grade that is not a perfect grade means that some users did not learn all of the cyber security skills that they need? What they missed on the assessment test equals vulnerabilities that they still may respond to thereby opening your network to attack.
Phishing is at the Top of the List
Phishing with social engineering is the primary method for obtaining credentials (46% of the threats) and access to IT systems and networks. You may be able to thwart some of these threats with software, but the ultimate prevention method is by users avoiding the threats. This is where adequate and consistent training will succeed.
What can a Dark Web Scan Do?
You probably do not know which users’ accounts can be located on the dark web. The dark web is made up of hidden websites that you can access with special software.
“Have I Been Pwned?” https://haveibeenpwned.com/ is free. It will tell you whether your email address or password appears in one of 300+ data dumps from websites. It can also notify you when your email address appears in a new data dump. If you are looking to discover if your credentials have been compromised, it is a useful service. Most pay for services that say they scan the dark web is actually looking at data dumps.
Am I Taking a risk?
If you discover an email address associated with one or more external data breaches, you should take immediate action to minimize the risk. You should change all the passwords associated with those accounts and employ stronger passwords.
If you do not conduct an employee vulnerability assessment, you’re missing one of the best preventative steps available. Using simulated phishing techniques assessment can identify what users would do when they are sent real phishing emails. This helps uncover poor behavior and vulnerabilities.
What do I Train on?
Once you have conducted the vulnerability assessment, you can improve your protections with education and training. The training should include:
- How to recognize phishing and phone scams
- What the dangers are when using social media and how does a user spot the scams
- Educate your users on your policy and provide guidance on the use of a company email address to register, post, or receive social media.
- Teach users to create strong unique passwords for every account that they use
- Your users need to be aware that they are not allowed to install unlicensed software on any company computer. Free software commonly contains malware.
- How to avoid using business emails for personal activities
- How to protect mobile devices such as smart phones, laptops, tablets, and USB drives
- Instill in users the concept that the door should always be locked
In many studies, it has been determined that about half the data breaches are caused by human mistakes or activities. In most cases this is caused by poorly trained users. What you want is the user to act as human firewall and protect your organization.
Don’t make it Painful
When I was in military intelligence, security was of paramount interest. I attended many security classes but unfortunately some of them were extremely boring and did not motivate me very well. On the other hand, the penalties for breaking security were so severe that I paid attention.
What you need to do is make sure that the security training you deliver is positive, motivates, interacts with the users, and informs them of the risks that occur if there training is not applied. Provide meaningful assessment feedback as part of the training. Your organization should foster a culture in which it is safe to raise concerns when users see or suspect something that can impact corporate security. Commit to continuous training. Ensure your users accept that cybersecurity in the workplace is everyone’s responsibility.
Executives are Users Too
Executives have become a major target because obtaining their credentials opens up a wider attack surface than most other users. The “2019 Data Breach Investigations Report” https://enterprise.verizon.com/resources/reports/dbir/ by Verizon determined that senior executives are 12 times more likely to be attacked through social interactions and 9 times as the target of social breaches as compared to previous reports. Most of the attacks dealt with financial threats which represented about 12% of the attacks.
Don’t Forget the Contractors
Organizations rely on contract workers, developers, consultants, VARs, and MSPs. The nature of contract jobs results in a feeling of impermanence that permeates throughout processes and policies. Contract workers are potential cyberattack victims. Contract workers should be trained to the same degree as full-time employees. Many contractors may have high levels of access and privileges meaning that they have credentials that are more valuable than the average user.
A variation of this blog ws posted at www.nojitter.com.