Cybercriminals increasingly target users rather than infrastructure. You train your users about cybersecurity. You may test them, but do you consider that a passing grade that’s not a perfect score means some users didn’t learn all required cybersecurity skills? What they missed on the assessment test equals vulnerabilities that they still may respond to, thereby opening your network to attack.
Phishing Is Top of the List
In my previous No Jitter post, “
Enterprises Not Doing Well on Net Protections,” I reported that phishing with social engineering was the primary method for obtaining credentials (46% of the threats) and access to IT systems and networks. You may be able to thwart some of these threats with software, but the ultimate prevention method is user avoidance of the threats. This is where adequate and consistent training will succeed.
What Can a Dark Web Scan Do?
You probably don’t know which users’ accounts are located on the dark web, which is made up of hidden websites that are accessible with special software. To find out, you can use a tool like
Have I Been Pwned? This free tool will tell you whether your email address or password appears in one of more than 300 data dumps from websites, and it will notify you when your email address appears in a new data dump.
If you’re looking to discover if your credentials have been compromised, this is a useful service. Most pay-for services that say they scan the dark web are actually looking at data dumps.
Am I Taking a Risk?
If you discover an email address associated with one or more external data breaches, you should take immediate action to minimize the risk. You should change all the passwords associated with those accounts and employ stronger passwords.
If you don’t conduct an employee vulnerability assessment, you’re missing one of the best preventative steps available. Using simulated phishing techniques, you can assess what users would do when they’re sent phishing emails. This helps uncover poor behavior and vulnerabilities.
What Do I Train On?
Once you’ve conducted the vulnerability assessment, you can improve your protections with education and training. The training should include:
- How to recognize phishing and phone scams
- What the dangers are when using social media and how a user can spot scams
- A rundown of corporate policy and guidance on the use of a company email address to register, post, or receive social media
- Information on how to create strong unique passwords for every account
- Discussion of why your users aren’t allowed to install unlicensed software on any company computer, since free software commonly contains malware
- How to avoid using business emails for personal activities
- How to protect mobile devices such as smartphones, laptops, tablets, and USB drives
- Messaging that instills the concept that the door should always be locked
As many studies show, generally about half of all data breaches are caused by human mistakes or activities. In most cases, these result from poor training. What you want is the user to act as a human firewall and protect your organization.
Don’t Make It Painful
When I was in military intelligence, security was of paramount interest. I attended many security classes, but unfortunately some of them were extremely boring and didn’t motivate me very well. On the other hand, the penalties for breaking security were so severe that I paid attention.
You need to make sure that the security training you deliver is positive, motivates, and engages users, and informs them of the risks that occur if they don’t apply the training they’ve received. Provide meaningful assessment feedback as part of the training. Your organization should foster a culture in which it is safe to raise concerns when users see or suspect something that can impact corporate security. Commit to continuous training. Ensure your users accept that cybersecurity in the workplace is everyone's responsibility.
Executives Are Users, Too
Executives have become a major target because obtaining their credentials opens a wider attack surface than most other users’. In its recently released “
2019 Data Breach Investigations Report,” Verizon determined that senior executives are 12 times more likely to be attacked through social interactions and nine times as likely to be the target of social breaches as compared to previous reports. Most of the attacks dealt with financial threats, which represented about 12% of the total.
Don’t Forget the Contractors
Organizations rely on contract workers, developers, consultants, VARs, and MSPs. The nature of contract jobs results in a feeling of impermanence that permeates throughout processes and policies. Contract workers are potential cyberattack victims, which means they need training to the same degree as full-time employees. Many contractors may have high levels of access and privileges, meaning that they have credentials that are more valuable than the average user.
Train, test, and assess -- that’s the best advice for keeping hackers from successful attacks against all of your user constituencies.
