SECURITY AWARENESS IN THIS DAY SPIVEY AND AGE
Here we are in October 2020 and it’s that time of the year again officially referred to as “Cybersecurity Awareness Month”. This year is different for many in that this year companies, including my own, are providing their security awareness campaigns as a virtual event. This type of campaign has advantages in that any employee can attend from the comfort of their own home and if recorded, can go back and forth to review the content. Disadvantages would include easily distracted attendees and the loss of that personal connection that attendees make with the speaker and other attendees. The results of this “new norm” will be interesting to see insofar as its effectiveness. Speaking of effectiveness a few years ago I published an article on security awareness questioning the process itself. Are we simply parroting the same best practices each year with a “hope” of improvement? Are we conducting these campaigns to satisfy a checkmark on a compliance sheet? Has this become more about keeping the lights on (KTLO) than actually moving forward with the objective of actually improving our security posture? How would one measure cost savings for a protective measure? These questions still hold true today.
We all understand the importance of security awareness and the statistics themselves validate the need for ongoing training so let’s take a look at the last few years for an overall comparison: (*IBM Cost of Data Breach Reports 2017-2020)
As you can see the results are going in the wrong direction. Not only has the cost of a breach gone up, but we’ve also added nearly 100 days to detection in the last 4 years and more than half of attacks are malicious in nature. This year when addressing Security Awareness are we approaching it with the intent to lower these types of numbers or just rehashing last year’s content with current statistics? Have you provided or received any security awareness training on working remotely as many of us find ourselves approaching the 1-year anniversary of this pandemic fallout we find ourselves in?
Now not all is a bleak as it may appear. There is a silver lining. I have personally seen this with a recent phishing campaign for another company. The company in question split its quarterly campaign into 2 groups; IT and Non-IT with the expectation that IT would, in theory, far surpass the Non-IT personnel. After all, IT knows best in these matters; right? As you might have surmised by my written tone this was not the case at all. Each user received a total of 3 phishing emails over a 2 week period of various tempting content with links, that if clicked, would take them to a landing page identifying why it was phishing and how to better watch for it in the future. The end result was far more IT users clicked on the links (12%), some more than once while the Non-IT employees rarely clicked on any of them (1.5%). So, you must now ask yourself why this is the case? In my opinion, this a clear indication that these companies’ users are well versed in phishing and how to identify them so there must be a reason so many IT users were successfully phished. I believe this is because IT personal have become somewhat lackadaisical when dealing with email, most likely due to the sheer number they receive and are now more prone to falling for these types of attacks. And as you know, the attacker has to only be successful once whereas users need to be diligent every single time. This also identifies a need to increase testing with IT personnel so as to keep them “on their game”. In this example, phishing identified a weakness in the IT staff and at the same time acknowledged a need for increased training for IT staff. These actions will play a vital role in security awareness and help drive those “bad” numbers down. Others areas of direct concern are:
• Protecting yourself at home (while being vendor agnostic)
o Router Security
o Wireless Security
o OS / Application Updates
o The importance of VPN
• Passphrases and not Passwords
o Length is your friend
• Incident Response for Employees (both IT and Non-IT)
o Who do they call?
o When do they call?
• IT Specific
o Cloud Security
o Server OS / Application Patching
This, of course, is not an all-inclusive list but provides several areas that if covered provide a direct impact onto those attacks that create so much havoc for companies. As many of us are remote now taking advantage of technology is at the forefront when educating users on security awareness. I personally believe that even though October is Cybersecurity Awareness Month we should all be cybersecurity aware every day of the year. Ongoing user interaction is key and promotes a healthy and secure IT environment. I will always directly respond to any user that reports anything they believe is concerning with a “Great Job on Security Awareness!” regardless of who the employee is. For those security professionals reading this, you know full well how easy it is for IT security to get a black eye so this constant reassurance to our users only encourages user cooperation and due diligence I look forward to seeing how well we do at getting those “bad numbers” down this year. I challenge each of you to do your part in not only being aware of what attacks are happening out there but how you can better protect yourself. You will find that IT security people are extremely receptive to helping those that want to help themselves.
Mark D. Spivey, CISSP
IT Cyber Security Manager