Headlines have suggested that enterprises need a higher level of security awareness ever since it became clear that firewalls are not enough. Though IT and security leaders are often blamed for an incident, the reality is that security isn’t only security’s job or IT’s job. It’s everyone’s job. And if it’s everyone’s job, then every employee in an organization needs to develop enough sensitivity to the current threats, whatever they may be, to stay mindful and vigilant. In short, everyone should adopt a Zero Trust mindset which requires a Zero Trust culture.
Achieving a Zero Trust mindset throughout the enterprise can be challenging because it runs counter to the common human belief that people are generally well-intentioned. As children, we’re taught not to trust everyone and as adults we are reminded from time to time, such as when we read stories about cyber crime. However, reading about incidents isn’t the same as experiencing one, which is why security awareness training should be immersive.
One of the problems companies run into with a dedicated training session is that the knowledge is not retained after the student leaves the classroom. Recognizing that, some companies have gamified security training. They explain what a type of threat is and why it can be difficult to identify. Then, students are tested with several examples that vary so the student must think hard before taking any action which will be graded. This immersive approach gives the non-security professional hands-on experience with an issue and provides a more impactful learning experience than sitting through a talking head or PowerPoint presentation.
Some organizations use micro learnings as a way of keeping security top of mind. That way, employees can get snack-sized pieces of information that’s easy to integrate into the average workday.
Regardless, security training is becoming non-optional for employees because every business can be victimized directly or indirectly via a third party.
Below are some of the topics that should be covered as part of security awareness.
Phishing and Spear Phishing
Phishing is a popular tool in a hacker’s toolbox because it’s effective. Why bother with a brute force attack when someone will happily hand over their credentials or share sensitive information? Phishing is so common that it’s likely individuals have been hit with it several times, some of which was immediately redirected to a spam folder.
Some phishing campaigns that haven’t been automatically filtered out are obvious given the way they’re written or because the creators did a poor job of emulating a brand. However, phishing techniques continue to improve over time so:
- They don’t include typos.
- They look like they come from a trusted brand.
- They appear to have been sent by someone the victim knows whether it’s the CEO or a friend.
- The message content is plausible or relevant enough to evade detection unless the victim has their guard up.
Phishing success depends on human frailty. Humans get tired. They get distracted. For whatever reason, one second of failing to be vigilant can have dire consequences for the individual and the company for which they work.
Less common, though also popular, is spear phishing which specifically targets an individual. That individual tends to have a lot of power, money, or something else the bad actor desires, including credentials. Effective spear phishing requires some intelligence gathering beforehand so the victim is more likely to take the action a bad actor wants. Company executives and key people with access to systems or data are likely targets.
Everyone should assume that they’re being phished and look at their emails through that lens.
Malware is injected in all sorts of things – open source projects, emails, protocols (e.g., SSL), applications, firmware, specific vendor products (e.g., Adobe Flash), etc.
Clearly, email is something that applies to everyone. Since phishing and malware often go hand-in-hand, employees should be reminded yet again to avoid clicking on links in emails, texts, and even chats now if they don’t recognize a person. For example, Slack users with Android phones were advised to change their login credentials earlier this year, reportedly because Slack dropped the ball.
IT and developers need to understand the threats present in the technology they’re building and using. For example, Google and the Open Source Security Foundation just released Scorecard 2.0 because bad actors may be installing back doors in projects or injecting malware. Github recently said, “we’ve unfortunately also seen a wide variety of bad actors abusing Actions, affecting service performance, and causing denial of service to open source projects.” Bad actors are intentionally trying to disrupt the software supply chain via open source.
IT and developers should understand how various pieces of the tech stack could be compromised and what they need to do about it.
Ransomware is on everyone’s mind and it’s been evolving. Originally, hackers encrypted files and demanded a ransom for the decryption key. Later, a second “double” ransom was added for not publishing the information they’ve stolen. Now there’s a third layer “triple” ransom which targets individuals whose data was stolen. If they don’t want it published on the Dark Web for sale, pay up. Now.
Recent attacks such as JBS and Colonial Pipeline demonstrate what can happen when a critical supply chain element is compromised. Business as usual stops suddenly to help control the blast radius of the attack. The more recent attack on Kayesa, which provides IT management software to MSPs and IT organizations, has been called the largest ransomware attack in history. The attack affects three layers of victims: Kayesa, its customers, and MSP’s customers. While the total number of victims is unknown at this time, the attack is affecting organizations internationally and it may prove fatal to some businesses. Reportedly, REvil, a highly organized and sophisticated hacking group is demanding $70 million for a universal decryptor.
Shadow IT has been on the rise since lines of business started having their own IT budgets. While the problem started with Macs and evolved over time into BYOD, the line-of-business IT budgets “legitimize” shadow IT in some sense. However, non-technical people tend not to realize the potential consequences of their actions, such as:
- Inheriting security vulnerabilities or creating gaps in the company’s security fabric.
- Requiring IT’s assistance after-the-fact, which could tax the IT budget if IT is not charging business units for work.
- Duplicating a system another line of business uses, which leads to higher licensing costs for the organization.
IT and security should be included in tech procurement discussions to avoid the above issues and potentially others. Alternatively, some organizations are creating their own internal marketplace which is managed by IT so all of the users’ application choices have been vetted ahead of time. That way, users have options from which to choose and unlike just any option out in the market, they’re sanctioned by IT and hopefully security.
Preparedness And Response
CISOs realize that security incidents are not a matter of “if” but “when.” It’s important that everyone in the organization understands whom to contact if they suspect an email or odd behavior, for example. Most people don’t need to understand the entire incident response plan, but there are stakeholders such as organizational leaders who need to understand what they need to do to help manage the situation.
Since cyber security incidents aren’t all the same (e.g., DDoS, phishing, ransomware), an incident response plan should contemplate a range of plausible scenarios and what to do should they occur.