For all the talk about the importance of new security technologies, the importance of staff buying into corporate security strategies is often underestimated. In every case, the predictable result is the same: a strong technological barrier whose effectiveness is immediately compromised once a legitimate user, with legitimate access to internal resources, clicks on a phishing email designed to load malware onto their computer.
You'd think employees had learned by now not to click on suspicious emails, but statistics show that organizations continue to be compromised in this manner – confirming that threat actors are getting better at their work every day. Today's 'spear-phishing' attacks have honed earlier broad-brush attacks to a fine art, targeting individuals with emails that incorporate personally relevant information that is often extremely convincing – and often sourced directly from the target's LinkedIn or Facebook profiles.
Filtering such emails is extremely difficult because they don't seem outwardly malicious, and asking users not to click on these emails is a futile exercise for the same reason. Yet with more malware in circulation than ever, it's crucial for CSOs to help their employees kick their dangerous habits – and start helping build a corporate security strategy that relies on more than just hope.
Instead, organisations should consider following the example of companies like Dell SecureWorks, which not only educates its employees to ignore suspicious emails but to also confirm with “known” senders that they indeed sent the email in question, before clicking on an enclosed link or attachment. Dell SecureWorks also regularly tests its employees’ resolve by peppering them with carefully created phishing emails designed to catch them out.
“Security awareness training is absolutely paramount when trying to ensure that your employees are not going to click on email links or attachments, even if they appear to be legitimate and relevant,” Simon Ractliffe, Dell SecureWorks’ ANZ director and general manager, explains.
“Our organisation does sample spear-phishing exercises on its own staff and I'm nervous about clicking on anything from any group that I'm not familiar with. We're being driven to be incredibly security conscious – and when you hear about some of the recent of the cyber cases, ,it's understandable why. Phishers are becoming so clever and targeted that they go straight for you.”
The message is getting through – to IT executives, at least – with a recent survey of 2400 CIOs by Robert Half Technology finding that 54 percent of the respondents were planning to enhance employee training on security issues within the next 12 months.
This was the most frequently cited security improvement planned for the coming year, followed by 41 percent who said they would add tools or enlist third-party vendors to improve their IT security.
These results reflect the growing acknowledgement that users remain as important as technology when it comes to improving overall IT security. Ractliffe believes this 'human firewall' is going to become even more important over time, as threat actors continue to refine their dark art and user-awareness training “absolutely goes off the dial in terms of being front of mind.”
A growing track record of breaches due to human error is reinforcing the importance of having an effective human firewall in place. Most recently, the alleged $1 billion-plus theft by the 'Carbanak' cyber gang, from banks in 30 countries, was attributed to poor staff training that resulted in banking staff unwittingly succumbing to spear-phishing attacks. Indeed, low-tech attacks can often still be frighteningly effective: in one study, researchers could view sensitive information just by looking around an office – 88 percent of the time.
Plugging the gaps
While enlisting humans to the IT security defence has become critical, the human firewall requires constant attention, testing, and improvement for one very simple reason: it is built around humans.
“'To err is human' goes the old maxim,” Ractliffe says. “And humans err lots!'
“You've got to know that everything is working 100 percent,” he continues, “even though you know that with any security defence involving humans, a mistake or two is bound to be made.”
“Even the folks with the best training and intentions can get tripped up. You're pressured for time, have a weak moment, and you see something that sparks your interest just for that second. You click, and suddenly you're in trouble.”
Experience with new strains of malware such as the CryptoLocker and CryptoWall ransomware has shown infections to be insidious and potentially catastrophic. If malware does slip past the best human and technological defences, one of the most important countermeasures is to respond to it in a timely and effective manner. At first glance, this might seem to be easy, but today's threats are carefully designed to work in such a stealthy way that infections often go for weeks or months before being detected.
Indeed, a recent survey of malware infections found that it takes a median of 205 days for an organisation to detect a security breach – far longer than any reasonable security remediation protocol would allow.
“A lot of executives are still not up to speed on how important timeliness is when it comes to responding to a cyber incident,” Ractliffe says. “But if they have a hacker that's on an existing system, whenever new information gets logged back to their core systems, the hacker knows about it immediately – and it's likely to be exfiltrated within minutes of it hitting your server.”
“These intruders are not just targeting the company at a particular time,” he added. “They are likely to be actively monitoring the flow of company information utilising malware that is resident on the network. When it comes to malware, they really are watching you – but a lot of people haven't quite grasped that yet.”
For this reason, organisations are increasingly augmenting their human firewalls with analysis systems, expertise and tools – whether delivered as managed services, or hosted in-house – which can assist in shortening the time to detection and action.
Endpoint-protection tools, for example, can monitor traffic to and from a range of devices in real time and, if anomalies are detected, immediately pull a device off of the network until the matter is thoroughly investigated.
“We're seeing significant interest in a combination of those very clever technologies which can now sit on the endpoint, combined with 24x7 monitoring, detection and response,” Ractliffe explains. “We can pull that device off the network immediately if we see that it has been compromised. Then we can run an incident response exercise, discovering how the endpoint was infected, what the full scope of the attack is, how best to eradicate the threat and lastly, help the client prevent the attack from happening again. The client can make a very clear decision on what they want to do about it.”
Dell SecureWorks CYBERINSIGHTS SURVEY - Go into the draw to win a GoPro Hero 3 Black Edition or to the equivalent a $500 Visa card voucher.