What’s the easiest entrance point for a hacker to attack your organization? People.
In the previous two blogs in this series, we discussed how technology and policies are an integral part of the information security posture needed to protect your business from an attack. However, those efforts will fall short if we don’t also address the human element.
The number one way into an organization is through people. The result may end up exploiting technology vulnerabilities and/or procedural gaps in an organization’s policies, but the entrance almost always comes through people. We have a people problem. If we are going to solve this problem, we must help people understand that information security is part of EVERYONE’S job. This is not just an issue for leadership or IT. EVERYONE has a part to play in protecting information.
Understanding “the why” behind our information security efforts and the important role that everyone should play goes a long way to help people understand their part in the effort. Without the “why,” people see the information security measures as burdensome and impeding their ability to get their work done. We must change the message. We can’t just say “NO! Don’t do things!” We should say “Yes! Do these things …and here’s why!” You will see a remarkable change in people when they realize that we must do this together to protect what’s important to all of us.
The National Institute of Standards and Technology (NIST), a part of the U.S. Department of Commerce, revealed a study in 2016 that uncovered an interesting phenomenon called “Security Fatigue.” In short, people hear about information security attacks, breaches, horror stories, etc., and the response to all of this information is an overwhelming sense of futility. “I can’t understand it, and I can’t keep up with it. Therefore, I’ll do nothing and hope for the best.” This is a dangerous mindset and is brought on when we continually lace the message of information security in fear and scare tactics.
It’s a fact that people are hacked more often than systems, by far. It is also a fact that part of the human condition is to think, “That will never happen to me.” This presents an ongoing challenge that must be addressed.
WHAT TO DO
If you want to successfully assess and address the people side of your information security vulnerabilities and risks, at a minimum you should include these three components in your plans.
- Phishing: It might seem strange, but if we are going to assess our vulnerabilities, we have to test the areas of risk. This includes testing our people.
By now, most people are familiar with phishing scams. We’ve all gotten emails that were unsolicited, poorly written and obvious forgeries. Those are the phishing scams of the past. Today’s hackers are very smart people, highly motivated and patient to perfect the “art of the con.” They are also switching to a far more sophisticated tactic: Spear Phishing. This term refers to the hacking technique that doesn’t cast a wide net by sending a thousand emails. It targets an individual with a single email. It is far more effective to appear trustworthy to one person with information specific to them. This type of email is highly effective and is rarely caught by spam filters. Spear phishing accounts for over 90% of the successful inroads into an organization.
Phishing tests, both emails and phone calls, should be a part of our ongoing information security efforts. The information gained from these tests can be very powerful in educating your people.
- Social Engineering: We shouldn’t stop at phone calls and email phishing tests. The hackers won’t. Gaining access to your organization’s information often gets much more brazen and cleverer than that. So, we too should include social engineering in our penetration tests and vulnerability assessments.
First, just try to gain access to your space. If someone walks boldly into your office, looking confident and professional, would you stop them? I’ve personally performed this test more times than I can count, and I’ve never been questioned. Why? Because I never look out of place. We may have implemented information security measures at entry points, but we all know how easy it is to tailgate behind another person with access. What if the person behind you has their hands full, or better yet, is using crutches? Polite society dictates that you turn and open the door.
Once in, try to gain information or access to systems. This can be done in many ways:
- Ask the receptionist to print out something from a USB drive for you. USB drives are a very serious vector of attack.
- Drop USB drives around as bait.
- Look for opportunities to be left alone with access to someone’s computer (e.g., while someone goes to get coffee).
- See how far you can walk around before someone speaks to you.
- Look for information readily visible in paper form laying around.
- Pretend to be the electrical contractor called in by IT to address an issue in the wiring closet.
- Cybersecurity Awareness: Once you have the information from your penetration tests and vulnerability assessments, it’s time to use that information for good. An ongoing Cybersecurity Awareness Training program is essential in your information security posture. Here are some key elements of an effective program:
- It should be immersive without being disruptive.
- It should be an ongoing part of the regular dialog within the organization and not just a once-a-year discussion.
- It should include active and visible sponsorship from leaders at all levels of the organization.
- It should include relevant stories of threats facing your industry.
- It should also include relevant stories about your very own organization. This is a good place to inform people of the phishing and social engineering results. NOTE: Don’t go for a “wall of shame” and post names of those who fell for the phishing tests. Sanitize the results, remove names, use percentages, and let people know that this happened right here within your company.
- It should ALWAYS emphasize the WHY and encourage people that we are ALL in this together.
People are our biggest asset, and business leaders need to invest in educating people as to their role in protecting the valuable information we interact with every day. Help them find their “WHY” in this effort and how important they are. One person can make all the difference in the world.
Technology, policies and people all work together to comprise your overall information security posture. None of them stand alone. A gap in one of them puts your company in a vulnerable place. It takes effort to maintain each, but it is worth it to avoid the burdens of a breach!