Repetitio est mater studiorum (Repetition is the mother of all learning) says a well-known Latin proverb. The same applies to the cybersecurity awareness programmes.
Organisations of all sizes and types, from small to large multinational businesses, from corporations and government agencies to healthcare providers and academic institutions, can be targets of cyber-attacks. From the retail giant Target to recent Uber, Macy’s, Whole Foods, and Delta (and many other) hacks represent some of the examples of massive data breaches.
The cyber threat landscape is rapidly shifting and attackers are using savvy hacking techniques to deploy sophisticated and well-planned strategies. In other words, cyber attackers have shifted their attention to human elements in order to gain access to the organisation’s information systems and resources.
However, many Internet users are not aware of these shifts and other possible dangers in the cyber-space. The most warring fact is that only 38% of global organisations state that they are prepared to handle a sophisticated cyber-attack!
In such a context, awareness is deemed as minimal essentiality required for applying necessary counter-measure strategy for combating threats to our digital security and privacy. Moreover, “security awareness programmes: (1) set the stage for training by changing organisational attitudes to realise the importance of security and the adverse consequences of the failure, and (2) remind users of the procedures o to be followed” (NIST SP 800-12).
So, let us share some common but often forgotten or neglected awareness tips essential for raising cybersecurity profile. These tips can be useful to the creators of organisational cybersecurity awareness programmes but also to business managers and end users.
Although important in everyday life, physical security is often unheeded within the cybersecurity practice. It is, hence, worth of reminding the users of organisational informational resources that our networks, servers, digital devices, data and information are vulnerable to destruction, hence must be physically protected.
The security awareness programmes, therefore, should include an explanation of how physical security is deployed in the working place. This topic should include examples of both unintended erroneous behaviour and malicious intention.
Detachable and Mobile Devices
Lost or damaged removable devices, such as USB or external drives, SD cards and the like, can result in stolen or damaged organisational valuable data but also in financial and reputational losses.
It is, therefore, advisable to include in our cybersecurity awareness programme examples of the types of detachable media, their significance and risk for organisational security and the way of protecting them at all times.
The ‘bring your own device’ (BYOD) or ‘choose your own device’ (CYOD) initiatives’ risks should be contextually woven into the awareness programme. The risks associated with the use of, for example, public Wi-Fi hotspots, ‘free vs proprietary’ VPNs, downloading unsanctioned applications are some of important cybersecurity awareness topics. The password security and authentication risks are compulsory topics for mobile workers.
Generally, remote working, which includes the use of mobile and detachable devices, should be of the utmost cybersecurity awareness concern. Despite numerous benefits, cybersecurity of remote working can be a headache for companies, their employers or clients. According to the recent reports, every third business in the past 12 months has suffered a data breach thanks to its remote workforce.
Social Media and Phishing
It is well-known that many employees tend to publish a cornucopia of personal (sometimes even business-related) information on social media. This is often a great opportunity for cyber-attackers looking for opportunities for social engineering.
Manipulating employees at all levels, attackers will try to establish their trust by impersonating someone well-known, often senior to them. If succeeded, the attackers are just one step away from sensitive corporate information and data.
It is, hence, important to familiarise employees of a risk of the overuse or misuse of social media. An effective cybersecurity programme should, for example, explain what should and what should not be shared on the social media platforms, indications of fake websites and social media profiles as well as the risks of hazardous behaviour.
It is also highly important to make employees aware of dangerous emails aimed at typical phishing, targeted phishing (spear phishing) or the email compromise. Distinguishing legitimate emails from fake ones can save organisations a fortune.
The above-mentioned attack techniques often take advantage of common human nature such as the desire to be helpful and kind. One of the illustrative examples is when cyber-attackers impersonate helpdesk representatives requiring the employs login details.
Dropbox, Amazon Web Services and Google have a while ago announced huge outages caused by human interaction errors with automated processes of either networking or application changes. As even small human errors can result in the legal noncompliance or huge data and reputation losses, it is essential to familiarise employees with the risks of unintended disclosure, inappropriate disposal of electronic or paper-based sensitive documents, or accidental deletion of important files.
Fileless attacks are a relatively new breed of malicious outbreaks. Fileless, also known as ‘zero-footprint’ or ‘non-malware’ attacks are increasing in use and effectiveness. The rate of fileless malware attacks increased from 3% at the beginning of 2016 to 13% until November 2017. This trend continued throughout 2018 and is expected to endure in 2019.
According to some reports, the fileless attacks are ten times more likely to succeed than traditional, file-based assaults. These assaults do not use malicious links or attachments but utilise vulnerabilities of irregularly updated operating systems or applications.
It is, hence, important to make employees aware that the prevention of these attacks very much depends on the detection and endpoint protection technologies – but also on the employees’ behaviour (e.g. using legacy versions of operating systems or unsanctioned applications).
A Final Word
Many cybersecurity professionals believe that aware and trained employees are the central component of organisational cybersecurity bearing. For organisations of all types it is vital to (1) design and implements a formal cybersecurity training program, (2) frequently test employees’ awareness and (3) regularly share experience about cybersecurity incidents in the organisation.
Not any cybersecurity awareness programme is effective. It is, hence, essential that cybersecurity awareness programmes are delivered by (1) selecting contextual topics (i.e. avoiding off-the-shelf training programmes), (2) making the campaigns engaging, (3) delivering the positive message by avoiding ‘scary’ tactics, and (4) avoiding technical jargon by using plain language.
The costs are often an excuse for not having an appropriate cybersecurity awareness programme in place – so, it is good to remember that “If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked” – Richard Clarke.