Organizations of every size are starting to realize that when it comes to information security, inside threats are as significant as outside threats — and they’re starting to do something about it.
That something is upping their spending on security awareness computer based training (CBT) which, according to the latest forecast by Gartner is a market that’s growing “big time”, and pegs the overall global market growth at 13 percent. In late 2014, the overall security awareness training market (including CBT) was estimated to be $1 billion by Andrew Walls, Research Vice President for Security, Risk and Privacy at Gartner. That same figure is still regularly quoted in the media and by vendors.
While the annals of hacking are studded with tales of clever coders finding flaws in systems to achieve malevolent ends, the fact is most cyber attacks begin with a simple email. Both Trend Micro and PhishMe have found that more than 90 percent of successful hacks and data breaches stem from phishing, emails crafted to lure their recipients to click a link, open a document or forward information to someone they shouldn’t.
“Cybercriminals commonly deliver malware through fraudulent, misleading emails purporting to contain family photos, important documents or retail offers that are too good to be true,” Anuj Goel, co-founder of Cyware Labs, maker of a cybersecurity awareness and intelligence-sharing platform, explains in an article at SecurityIntelligence, an IBM website.
“Many organizations deploy phishing filters, advanced firewalls, network access controls and endpoint scanning tools to mitigate this threat,” he says, “but no technology can account for human error entirely.
Kevin Mitnick, an infamous hacker who’s now a security consultant and Chief Hacking Officer at KnowBe4, adds, “You could spend a fortune purchasing technology and services, and your network infrastructure could still remain vulnerable to old-fashioned manipulation.”
That’s because attackers need only find one flaw in a system’s defenses while defenders need to find and defend all the attack points in their systems.
“A company that includes 1,000 employees with poor online hygiene has 1,000 insecure endpoints,” writes Goel.
Designing a malicious email campaign to deliver malware to each of those flesh-and-blood endpoints is child’s play for a net bandit, who knows he only need one careless employee to make that campaign a success. Meanwhile IT teams need to protect each of those endpoints, plus any other flaws in the system.
“If humans are the primary targets of cybercriminals, they ought to be prepared, informed and weaponized as the first line of defense,” Goel writes.
An Effective Weapon
Awareness training plays an important part in the weaponization process. “Training employees on security will immediately bolster the cyber defenses at most companies,” says Lawrence Pingree, a research director at Gartner, because most data breaches are based on “exploiting common user knowledge gaps to social engineer them to install malware or give away their credentials.”
Phishing identification training definitely bolstered Wells Fargo’s cyber defenses, notes Chief Information Security Officer Rich Baich. Through the use of various security awareness techniques, he says, workforce susceptibility to phishing declined by more than 40 percent.
“Building a strong cyber culture requires an investment of time and resources,” Baich notes. “Periodic updates and enhancements to existing cyber hygiene practices can drive more awareness resulting in a more educated work force dedicated to healthy cyber practices.”
Anyone seeking to reap the benefits of awareness training, though, needs to know that it’s a continuous process. “Whatever training they may have done, any and all employees need to be sent simulated phishing attacks twice a month, or at the very least once a month to be effective,” KnowBe4’s Sjouwerman says.
At the City of San Diego, for instance, security incidents related to phishing dropped 15 to 20 percent during the first year of its security awareness program, but then they began to rise again. “I have been told this is the norm,” says CISO Gary Hayslip, “which is why we are requiring our training to be an annual requirement for personnel and we are looking at adding a separate phishing training component since it is one of our biggest issues.” Hayslip is also author of the book CISO Desk Reference Guide: A Practical Guide for CISOs — which covers the security awareness training topic given its importance to his peers.
Even when awareness training is frequently reinforced, though, employees still make mistakes, which is why other security measures will always be necessary. “While the policies and training are crucial, we need to get better at ‘idiot-proofing’ our technology so that even if people do the wrong thing, the malware doesn’t run or doesn’t achieve its goals,” Jim Kent, global head of security and intelligence at Nuix, a maker of a platform for indexing, searching, analyzing and extracting knowledge from unstructured data, wrote in Security InfoWatch.
Whether progress is made in idiot-proofing defenses or not, users are going to be a crucial part of any organization’s information security and training those users to recognize the overtures of malicious actors will be critical to hardening the “people layer” against cyberattacks.