By Gail Dutton
IT departments can’t ensure data security. Despite firewalls and anti-virus and anti-malware applications, cybersecurity experts say most computer systems already are infected, and there’s little IT administrators can do to prevent it. That’s the biggest surprise non-IT employees experience during computer security training.
“Non-IT employees think cybersecurity isn’t their problem...and that IT has taken care of it,” notes Prenston Gale, director of information security for Dynamics Resource
Corporation, which trains government agencies in cybersecurity. At one time, reliance upon the IT department was sufficient. Today, however, organizations’ security perimeter is human, and humans are the weakest link.
Lone hackers have been replaced by sophisticated criminal organizations and by hacktivists (such as Anonymous) that engage in automated, advanced persistent threats (APTs) that often gain entry by exploiting end-users. All organizations are vulnerable. Attackers target small companies, as well as multinationals, and general employees, as well as senior executives.
Social engineering and spear phishing are core tactics, according to the report, “When Advanced Persistent Threats Go Mainstream,” by the Security for Business Innovation Council (SBIC) and RSA. Unlike earlier scams, the e-mails or phone calls associated with social engineering appear legitimate. The Better Business Bureau (BBB) scam is an example. Companies receive an e-mail or phone call—purportedly from the BBB—alerting them about a customer complaint, along with the attached complaint form, or a case number and log-in information to a site link. Once the link is clicked, malware that steals information and destroys files is loaded onto the PC. “Social engineering attacks are based upon interacting with people pretending to be with a particular organization and then stealing information,” Gale says. “E-mail is one of biggest threat vectors.”
Another attack uses thumb drives. After the Department of Homeland Security (DHS) seeded a parking lot with thumb drives in 2011, it reported that 60 percent of the devices were inserted into agency or company computers. When the thumb drives had the organization’s logo, the insertion rate jumped to 90 percent, according to network security firm Idappcom. The danger is that the drives could harbor malware or Trojans that make it easy for hackers to penetrate. When security firm Sophos analyzed 50 USB drives left on RailCorp trains in Australia, it found that 66 percent contained malware. None were encrypted.
One insidious botnet (a zombie army of infected computers) attack actually cleans up host device problems, so the PC runs beautifully, and then uses it to launch distributed denial-of-service (DDoS) attacks against other systems.
Active training using simulated phishing and spear-phishing (targeted) attacks, and serious gaming using situations unique to employees’ jobs are the most effective approaches to cybersecurity training. The objective is for individuals to recognize they could be responsible for major information breaches. In contrast, traditional methods such as Webinars, videos, and classroom sessions haven’t made the threat real for participants, according to the SBIC report.
“Being phished isn’t a matter of being dumb. Even the late Steve Jobs (founder of Apple) fell for a spear-phishing attack,” emphasizes Rohyt Belani, adjunct professor at Carnegie Mellon University and CEO and co-founder of PhishMe.
As Dave Frymier, corporate information systems officer (CISO) of Unisys, elaborates, “It’s easy to enter innocuous sites that lead to unexpected places. Employees can’t always back out, and sometimes the system is infected.” Detecting phishing depends upon noticing that something about a contact doesn’t seem right. With training, computer users become more aware of the dangers of active hyperlinks and opening attachments and links to sites that ask for sensitive information, even when the story is believable.
“The best way to make training effective is to make it hands-on and interesting, and to immerse people in the experience,” Belani says. “For phishing, you don’t have to explain much.” He developed an automated way to conduct unannounced, mock phishing exercises that provide instant, targeted training to those who are susceptible to the attack.
By providing training at the point of their risky behavior, people gain instant perspective and spot subsequent dangers quicker and easier. These bite-sized experiences have enough emotional stress to get employees’ attention, and present one concept at a time, such as a flashcard, for easy learning.
Before beginning a program, PhishMe blasts a notice throughout the organization alerting employees that spot training will occur throughout the year in the course of their normal work. But when simulated attacks are sent, there’s no warning. PhishMe simulated attacks arrive just like any other e-mail. “On a first training run at an organization, we typically find 58 percent of the people would click a bad link in an e-mail,” Belani notes. “At 12 months, after running the campaign every two months, susceptibility is below 10 percent. The key to success is the frequent nature of the training.”
The challenge for IT-which often is the unit tasked with conducting cybersecurity training-is a combination of miniscule funding, boring training methods, and failure to recognize that training non-IT staff in cybersecurity is crucial.
Unisys has trained non-IT employees in cybersecurity since 2001. As Frymier says, “We focus on commonalities: what constitutes information security; why it’s important; what a breach would mean to our four main business units; and what it would mean to functions such as contracting, regulatory compliance, etc.” The jargon-free course changes at least 30 percent each year. “Last year, the course addressed encryption resources for e-mail, files, and whole disks. New content this year focuses upon phishing.”
“The hidden face of the ‘Bring your own devices (BYOD)’ trend is the PC,” Frymier says. Although mobile device concerns are garnering headlines, many people access the corporate network remotely, from their home PCs in the evenings. Consequently, corporate data is stored there and on thumb drives.
“Unisys solidified its security policies and guidelines with a major focus on secure BYOD,” Frymier says. The policy outlines acceptable uses of personal devices for Internet usage and corporate data in two pages of plain language, pointing out individuals’ responsibility if they put corporate data on a device the corporation doesn’t own, as well as the possible repercussions if the corporation is sued for any reason. “Employees must understand they may be required to surrender devices that hold corporate data during the legal discovery process. That happens less than 1 percent of the time, but it’s a risk,” Frymier says.
Best practices are evolving, along with the threats. Randy Gross, CIO of the Computer Technology Industry Association (CompTIA), advises organizations to use up-to-date technology and to have secure tools available to employees. Then, ensure employees have internalized the risks, know how to behave on the Internet and in e-mail, and understand implications of the business’ regulations and the regulatory environment relating to data security. As a rule of thumb, Gross advises, “If you haven’t purchased it, don’t trust it.”
- Keep software current and security patches up to date.
- If you didn’t buy the thumb drive, don’t use it.
- If an e-mail looks phishy, contact the purported sender before opening it.
- Recognize that good phishing attacks look legitimate.
- HTML is just markup language. Determine where the link actually points before clicking.
Cybersecurity Training Strategies
By Maya Yankelevich, Senior Human Capital Consultant, PDRI
Who is part of the cyber workforce? All employees at every level of the organization share a responsibility to protect valuable information assets. Cybersecurity is part of every business function; it weaves throughout all aspects of daily business operations and, therefore, should be an intrinsic element of all training and development programs. A resilient organization is the result of an educated workforce and a technologically savvy infrastructure.
Few organizations have a comprehensive cybersecurity workforce planning strategy in place. As key stakeholders collaborate to develop this strategy, they must address the ongoing critical shortage of cybersecurity professionals. Learning management experts then can plan and deploy training and development initiatives that are precisely aligned with the enterprise’s overarching cybersecurity strategy.
Conduct a Gap Analysis
After setting strategic direction, determine the critical skills and competencies that are required to achieve strategic objectives. A gap analysis can assess current workforce capabilities and deficiencies. Keep in mind that those working on the front lines of cyber defense must possess a mix of hybrid skills-communications expertise and interpersonal capabilities that supplement technical ability, enabling engagement and effective collaboration with stakeholders in other disciplines and business leaders across the organization.
Working together, the chief information security officer’s team, the organization’s human capital experts, and the training organization can improve the effectiveness of workforce cybersecurity programs by spearheading initiatives that will develop the diverse and sophisticated capabilities required to combat increasingly complex cyber threats. CISOs who collaborate with their chief human capital officer (CHCO) allies will ensure that they have the resources and infrastructure in place to build, develop, and sustain a resilient and globally competitive organization.
Deploy Engaging Training Programs
The training organization is tasked with building and executing learning content that supports the enterprise cybersecurity strategy...teaching risk management skills to end-users and enhancing the capabilities of cyber professionals to improve business performance. Critical to consider is the knowledge and know-how needed by everyday users versus true cybersecurity professionals, and the different motivators that will lead to success for each group.
Traditional end-user security awareness training programs often lack requisite accountability and vigilance. They frequently are flat and lack the necessary impact. Cybersecurity awareness is no longer optional; instead of investing scarce training dollars in standard in-house or costly offsite development programs that often don’t deliver measurable return on investment, savvy organizations offer flexible and immersive learning programs tailored to specific enterprise goals.
Training content must be rich and engaging for unique cyber talent populations; the in-demand experts are motivated by challenge and looking for the next growth opportunity. For example, channel a hacker-like propensity to break code into risk reduction expertise that secures the organization’s most valuable assets in the cyber domain. Realistic hands-on training and development simulations that replicate real-world environments will not only ensure that these cyber warriors keep their skills sharp but also enable them to grow within the organization rather than pursue opportunities elsewhere.
Monitor Success of Initiatives
After new programs are deployed, continuously evaluate the impact of training and development efforts by measuring employee awareness, behaviors, and capabilities. Are you achieving the objectives outlined in the enterprise cybersecurity strategy? Iteratively update learning tools to ensure the ongoing effectiveness of the organization’s response to a constantly evolving threat landscape.