In a recent article, we referenced the term “human layer” to describe the employees of an organization and described the importance of remaining vigilant when it comes to providing security training, and then testing whether that training is getting through. Indeed, as anyone in IT Security will tell you, humans are (just about) always the weakest link in an organization’s security posture.
Company executives have asked the same question millions of times, “How much will it cost to protect us?” Unfortunately, this question cannot always be answered in dollars and cents. Certainly, expensive new technological toys that do impressive things are very powerful assets in protecting an organization’s systems and data, when properly deployed. However, as we have seen happen on countless occasions, even the most advanced technology can be rendered ineffectual when combined with every secure IT environment’s true nemesis: the end-user.
The universal truth of IT security
Many organizations believe that they can spend their way out of security concerns, and that technological controls will make up for any exposure they may have at their human layer. Take an organization’s firewall for example. The term “firewall” certainly conjures an image of something prohibitive and impenetrable. A company can spend almost anything they want on such an appliance; indeed, some may cost well into the six-figures! But even the most advanced systems can be flummoxed when put up against the actions taken by an uneducated or unvigilant end-user.
All things being equal, attackers these days waste little time conducting direct assaults on a network’s perimeter. They may conduct a quick scan to see if there is anything interesting that might be exploitable, but they know that the softest target in an organization is nearly always the end-user. Being able to compromise just one end-user’s account or workstation will give the attacker a foothold in the environment they can then utilize to “pivot” and gain access to other areas of the network.
Hackers toolbox for social engineering
Many hackers’ tools of choice are not terribly sophisticated. Many times their tools consist of information available on social media sites, such as names, titles, and even email addresses. From this information, they are able to build their own organizational chart of the target company and leverage this information when performing their attack. “Social Engineering” is then used by the attacker to manipulate individuals into relinquishing information (e.g. Their login credentials) or into taking an action (e.g. clicking a malicious link, downloading an infected file, etc.).
Another common social engineering technique is USB Drop Attacks or “Baiting”. This consists of literally dropping USB drives which contain malware into a publicly accessible area, such as a parking lot. The drives are typically labeled with something tempting such as “Payroll” or “Confidential”. The numbers vary, but generally 40-60% of USB drives deployed in this way will be inserted into a computer, with many victims going further to even attempt to open files located on the drive.
The steps for strengthening the human layer
Training
The importance of training your end-users to constantly be on the lookout for these hoaxes cannot be understated. Annual security training is not sufficient to keep these items fresh in the minds of your employees. Instead of requiring your workforce to complete security training in the form of one long presentation they are required to sit through once a year, you may consider providing training more frequently in a shorter, more digestible format. This helps to ensure that security is part of the culture and DNA of your organization and that your end-users are always exercising scrutiny and due care in their daily computing habits.
It is important that your training is engaging, otherwise, it is likely to go in one ear and out the other. There are numerous sources of training material available online, or you can even make your own! One of the companies we work with went as far as to create their own IT security training videos, starring members of the IT department and the upper management team in a fictional “cop drama”. This became a quarterly released series that became very popular among the employees who could not wait to see the next installment. This approach checked all the boxes for IT security training: engaging, frequent and demonstrated upper-management’s support of the initiative.
Testing
Periodic testing simulations of your human layer is critical to ensure that the security training you are providing is getting through and being put into practice in your employees’ daily lives. Without testing, there is no way to determine how effective your training program is. We recommend that training be conducted on an ongoing basis, not just once per year and that you employ many different tests covering various aspects of your security training program.
Periodic phishing simulations is one method that you can use to determine whether your end-users are applying appropriate scrutiny to the email they have received. Similarly, other social engineering tests can likewise be performed such as the aforementioned USB Drop Attacks or phone calls attempting to get your end-users to relinquish credentials to an unknown person. The bottom line is, don’t simply rely on the results of the “quiz” you may administer to your end-users at the conclusion of their training, an employee’s ability regurgitate information they were provided in the past 15 minutes is not a good indicator of how they will conduct themselves on a daily basis.
Leadership Follow-Through
If management does not take security seriously, neither will the employees. There must be a genuine consequence if employees are repeatedly found to be non-compliant, as your security posture is only as good as its weakest link. For end-users that flagrantly disregard the importance of safe computing habits, disciplinary consequences up to and including termination should be on the table. Yes, this really is that important!
As an example, we have a client that employs a “three strikes” rule when it comes to their cybersecurity safety. It is important to note that employees can have ‘strikes’ removed. In this example, one strike is removed for every 12 continuous months that an employee goes incident-free since the last strike that was received.
- On the first incident (strike) where an employee falls for a simulated phishing email or other cybersecurity test conducted by the IT Department, they must then complete additional web-based training and their manager is informed of the issue.
- On the second strike, they are given one-on-one training with IT staff and must also meet with the company’s Information Security officer.
- On the third strike, they must meet with the Chief Information officer and a Human Resources representative to be informed that any further failures will result in their termination.
This client informed us that this approach has cut down drastically on the number of security incidents at the company, and further, that it is now extraordinarily rare that an employee will even make it to the “second strike”. Their goal was not to be punitive or to create a culture of fear, but to reinforce their employees’ understanding just how important security is, the importance of remaining ever vigilant, and just how seriously management takes the issue.
To some this seems like a severe program to ensure cybersecurity but what if this were your bank or your healthcare provider? the calculus that must be considered in putting together a security program is not easy. Many factors must be deliberated, various risks weighed, and solutions considered. Management must decide how they wish to approach this issue and understand the likelihood and impact of what could occur if what could go wrong…does.
We are not downplaying the importance of having quality technological systems and controls in place that are appropriate for the size, complexity, and growth objectives of the organization. These are indeed critical factors for the success of an IT Security strategy. We are simply emphasizing the human layer, it is where most organizations carry the bulk of their IT Security risk. We must always be vigilant in educating our employees as to the importance of safe computing habits, and ensure that we are periodically testing those habits and following-through as needed.
Contact Us
Calvetti Ferguson works with middle-market companies, private equity firms, and high-net-worth individuals nationwide. Regardless of the complexity of the compliance, assurance, advisory, or accounting need, our team is ready to help you. Please complete the form below, and we will follow up with you shortly.