Daily, we see news of compromises by well-funded and resourced attackers that are raising the profile of cyber security to such an extent that headlines of data breaches are becoming mainstream. On a regular basis, reports are being released showing the skill and persistence of attackers. Advanced attacks such as spear phishing, watering holes booby-trapped with custom malware and zero-day exploits are all being reported on an almost weekly basis. And all of these attacks have one thing in common – they target individuals.
Yet, generally, most organisations rely only on traditional security controls in the form of technology such as antivirus, firewalls, security information and event management (SIEM), etc. to protect their critical assets. The increasing importance of employee security awareness is often overlooked. Instead, only basic awareness training is given, focussing available resources on deploying and testing traditional security controls.
People and process are frequently disregarded when it comes to improving security posture, partly because the security risk they pose to an organisation is difficult to measure and track. This is a crucial issue with cyber security and has been for many years. Those organisations that take a traditional risk-based approach to security will struggle to get buy-in from senior management to address a risk that they haven’t been able to quantify, or even prove exists in many cases.
Where Companies are Most Vulnerable
The problem is that attackers are looking away from penetrating hardened external infrastructure and technology to a much weaker area: employees. This is for the simple reason that an organisation that already recognises the need for technology and security solutions will, for the most part, bolster its perimeter security to the point where an attacker’s easiest way in is to target its employees.
At this stage, not improving the security of personnel and processes will almost entirely undermine the investment in most technology-based solutions; an attacker will just step over them.
With so much information regarding an organisation’s employees available online, the most common way to exploit them is by using a phishing email that targets the user and attempts to attract them to click on a link or attachment. These can be anything from promises of deals or offers to emails that purport to be invoices or banking statements. Phishing assessments against employees have shown that as many as 60% to 90% of employees are susceptible to these attacks – effectively allowing an attacker to jump right over the traditional security controls so many organisations are still heavily investing in and relying on.
Training Your Employees
To combat this, practical employee security awareness training needs to take place frequently in addition to the traditional awareness training most organisations already use. Managed phishing assessments, for example, act as a ‘cyber fire-drill’ for employees, regularly exposing them to various realistic attacks, but in a controlled environment. It isn’t unusual in these types of exercises for organisations to have 80% susceptibility during the first assessment, but see a reduction to less than 10% after the second or third assessment. Most organisations don’t see anywhere near that reduction in susceptibility from the traditional training they currently use.
One of the interesting parts of these engagements is monitoring what users do when they actually detect an attack, because often the correct process to follow isn’t known. This brings in the second critical factor: process. When employees fail to report attacks to the correct business department, it results in a greater exposure than an organisation would have otherwise had. As part of the training process, employees should be made aware of who in the IT or security team to notify when they think they may have inadvertently clicked or opened an attachment they shouldn’t have.
Exposing employees to controlled attacks regularly not only teaches them how to spot them, but also hammers home the security process to follow – dramatically reducing the organisation’s exposure to attack.
Top five tips to protect employees from hackers:
- Do not rely solely on security technology.
- Teach employees to think before they click; not all security technology will stop these malicious emails getting through, therefore they must be vigilant.
- Get employees to recognise bogus emails and not click an un-trusted attachment or link.
- Carry out regular phishing assessments.
- Train staff in the proper process to report phishing emails and who to notify in case they clicked purposely or by error; ideally to be carried out within 15 minutes.
When considering cyber security, there tends to be a greater emphasis on the latest technology or the latest programmes, which are constantly evolving and updating. Amongst all the technology innovation, important areas that too often receive very little consideration are the people and processes that are actually imperative in every organisation. Disregarding these crucial elements when it comes to cyber security can prove dangerous in terms of increasing security threats, because when you take away the technology element, all that is left is to target people.
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
The implementation date of Europe's revised Markets in Financial Instruments Directive, aka MiFID II, is fast approaching. Yet evidence suggests that awareness about the impact of Brexit on MiFID II is, at best, only patchy and there are some alarming misconceptions.
Despite all the automation and improvements that digital banking has the potential to achieve, customers and their needs still form the very core of the banking sector.
Banks might feel justified in victim blaming when fraud occurs, but it does little for customer confidence.