Fully 70 per cent of data breaches, in fact, can be linked to insider threat. Rarely does a day go by without a high-profile “phishing” or “whaling” attack flashing across a news site.
For the uninitiated, phishing is a targeted email pretending to be from a business you personally use, such as your bank or utility company. Other phishing emails are crafted to look like they come from a co-worker. These emails scam employees into opening malicious links or sharing sensitive documents. Whaling is the same thing in the big leagues, targeting C-level executives. Recent phishing or whaling victims have included Snapchat, Seagate, and Austrian aircraft company FACC, which promptly fired its CEO for losing the company €50 million ($55.8 million).
At the same time, talk of cyber security is making headlines in national papers. This proliferation of cyber security into mass consciousness is finally making this a boardroom issue, with spending on security solutions increasing rapidly. For example, PwC found that 65 per cent businesses now collaborate with external organisations to improve cyber security and reduce cyber-risks, up from 50 per cent in 2013.
So yes, news and information is out there in plenty, but the problem is, it is still not being made tangible where it matters most.
Repetition is NOT the mother of learning
The average price tag for mitigating breaches is $4 million, according to the Ponemon Institute. The financial incentive is certainly there for organisations to do more about shoring up IT security. But that is also part of the problem. IT strategy is currently centred around cost—vital for increasing boardroom awareness, but distant and unimportant to everyday employees. Insider threat requires a different kind of approach that focuses on the actions of employees in real-time.
The Global State of Information Security Survey 2016, conducted by PwC, found that 53 per cent of organisations have employee security awareness and training programmes in place. But many of these are ineffective. A lot of training material currently is video-based or centres around day-long workshops. These work well in the moment, but tend to be forgotten in a week’s time as workers slot back into their routines.
Standard soft approaches to cybercrime awareness miss a crucial component: in order for employees to get involved in cybercrime prevention, they need to feel responsible. If you keep repeating that cyber security is important, it may stick, but it often does not create a tangible response should a threat appear.
Think about it like this: malware and ransomware hit businesses unaware, as do DDoS attacks. So why do we think that the best way to educate people on these myriad of threats is to have them watch a series of videos? Police and military undergo real-life training exercises to put scenario learning into practice. Why not do the same thing for enterprise information security?
Shock, not scarecrow, tactics
The premise of shock tactics in cybersecurity is that only by experiencing an attack or breach can you fully fathom how cybercrime works. Quickly and without warning.
Do not confuse this with Amazon’s infamous tactics against theft in its warehouses when staff were surrounded with videos of former colleagues caught in the act. It’s not about making your employees into an example or singling anyone out; it is about making the issue feel real. This can be done privately and the examples still used for broader communications without embarrassing anyone.
So, what kind of tactics are we talking about?
First, with data being one of the key commodities in cybercrime, you could try to make your business’ security periphery “sink or swim” by faking data loss. A simple but effective measure is a series of targeted phishing attacks on liable departments, or even the entire company, carried out by white-hat hackers. This approach exposes system vulnerabilities without actually compromising information. Afterwards, the phished employee would be told that it was a training exercise.
If this tactic exposes a wider vulnerability to phishing, you should continue to carry on the attacks on an ad-hoc basis. Make sure you do not shame individual employees, but do debrief them and report results internally to broaden awareness. Consider the addition of tools designed to provide real-time feedback when an employee gets phished. Think of it like a reverse version of “crying wolf”—if you do it enough times, employees will think long and hard before clicking on any links.
Putting a face to cybercrime
Other tactics could involve hiring third-party security consultants introduced as IT support, visitors or even building cleaners. Their task would actually be testing how easy it is to penetrate the physical and cyber security of your business, with the sole aim of gaining access to sensitive information. This makes the threat more physical, showing that cybercrime is not just something in the ether, but has a face, a name and tools to penetrate systems at any given time. Again, debriefing is vital to demonstrating the seriousness of the situation, along with CCTV footage of the exercise, to help staff learn from the experience.
These are just a few of the tactics available, but when combined with regular company-wide communication on breach and risk and examples of high-profile cybercrime cases stemming from human error, you can deliver a comprehensive and effective training programme. You could even look into balancing this with the occasional fun security event or an engaging speaker to open up the wider conversation around security.
The key is to make cyber security feel like a grassroots exercise, not something inconsequential enacted only from the top down. Engage your employees now and be prepared before your time comes.
Rick Orloff is the chief security officer at Code42.