Investing in your employees by providing them with the knowledge to help them detect suspicious activity will not only improve your chances of uncovering malicious activity across your network, it will also assist your employees in protecting themselves when they are using the internet at home. And hopefully, if the messages are clear and strong enough, they will share this new-found knowledge with family and friends, further extending the benefit.
Organisations of differing sizes, budgets and risk profiles will face different challenges when putting together a user awareness programme. However, there are several general principles that should be followed to ensure that your campaign has maximum impact.
Keep it simple
Focusing on the most common information security risks your employees are likely to face at work is a good way to ensure that your programme has the maximum impact possible. People only have so much time in their day, so keeping things focused on these key risks is very important. The risks will differ slightly from organisation to organisation. Lance Spitzner, from the SANS Institute has distilled the top risks into seven key areas:
- Help employees understand why they are a target: make it clear to employees why they are an attractive target for cyber attackers and it grabs their attention. As a result, they are much more likely to listen to the resulting advice.
- Phishing/Spear Phishing: one of the most common threat vectors employees are likely to face. Explaining the concept of phishing and spear phishing clearly, and giving employees practical but simple tips on how they can better defend themselves, is one of the most valuable aspects of any user awareness campaign.
- Password reuse: explaining to employees why passwords are so desirable for attackers and explaining the pitfalls of password reuse and what it can lead to, in my experience, is often an enlightening topic.
- Keeping devices updated: most people see software updates as a laborious task. Making it clear why it is important to update your software and how it can prevent an attack succeeding is an essential topic.
- Mobile media: illustrating, with case studies, how mobile media (like USB sticks) can be used to deploy malware can be a powerful way of encouraging people to adhere to best practice and policies within your organisation.
- Data leakage via social networks: people might be aware that they shouldn’t post sensitive personal information on social media. However, most people are not aware of the lengths sophisticated attackers will go to in trawling for open source information during the reconnaissance phase of a prospective attack.
- Accidental disclosure/loss: a large portion of data leakage occurs through accidental disclosure/loss. In addition to data classification and robust policies, user awareness is a key way of mitigating this risk. This can be achieved by making people more aware of the types of information they should not be sharing with third parties, the importance of a clear desk policy and sharing anecdotes from cases when important data has been lost in this way.
Using these key areas as the basis for your content is a great place to start before applying them more directly to your specific environment.
Alongside all of this, an essential goal of your awareness-raising content should be to ensure that your employees know how to report suspicious activity within your organisation. Ideally, you will want your employees to act as human intrusion detection systems. They won’t be right all of the time and there will be false positives. Therefore, it is important to have a clear and practical policy in place for what should be reported. By utilising your employees in this way you are empowering them, alerting them to the fact it is ok to report a security incident (they are not going to get in trouble) and increasing your chances of detecting malicious activity. This in turn will allow you to investigate and decide what is and is not malicious.
Making content engaging and clear is very important. Nobody wants to be lectured in depth on how to read an e-mail header as a way to help them spot a phishing attempt. Work on making your key messages concise, non-technical and accessible to a wide audience. Get creative in how you disseminate messaging, acknowledging that your goal should be to make your content as accessible as possible for employees. People are busy. They need to be able to absorb your messaging during the course of their day, at their desks, and when they are walking the corridors.
A combination of delivery mechanisms will work best. Consider things like newsletters, posters, blogs, gamification, guest speakers and (depending on your budget) computer based training. Personally, I have always found that using anecdotes is a great way to engage your audience. By making things real and telling a story (via whatever medium) you are more likely to connect with your audience and get that messaging to stick.
For compliance purposes, measuring how frequently and to whom you are providing user awareness information/training is something that is easily achievable. However, its value is limited, as is usually the case where compliance is treated as a tick box exercise.
To establish how effective your activities have been in actually changing behaviour, phishing assessments are a very useful tool. When conducting an assessment of this nature it is important to take a risk-based approach. Not every employee within your organisation will face the same degree of risk, as different roles have different levels of exposure. For example, the risk from spear phishing faced by a CEO is likely to be different to that of someone working in customer service. The CEO is likely to have more information openly available about them online, with access to more sensitive information (possibly with elevated privileges). This makes them a more attractive spear phishing target and worthy of the attacker utilising more resource in crafting a more bespoke message.
Equally, the threat from phishing faced by someone in finance is likely to be different to that faced by someone on the Board. The person in finance is likely to receive high volumes of e-mails containing attachments, as part of their everyday role. They are also likely to have some information available about themselves online – for example, that they work in accounts and therefore may have access to funds. These factors will make them an attractive target for more commodity type phishing attacks that deliver banking Trojans or ransomware.
At Context we offer a range of services that can help organisations to improve their existing user awareness programme. We can also work with organisations to develop tailored user awareness programs from the outset.
Our user awareness briefings are enriched by our real-world experience of responding to a range of different cyber-attacks, where employees are exploited in order to gain access to data or other resources. In our briefings we offer practical tips to assist employees in spotting this type of activity and give advice on how they can better protect themselves. Our sessions are tailored according to the threats an organisation is likely to face and we do this by consulting our clients during the formulation of content and by using information sourced from our threat intelligence team.
You might be looking to measure the effectiveness of an existing user awareness programme. If so, we can also help to run a managed phishing service that can help you achieve this. We will work with you to establish the level of threat faced by different groups of people within your organisation. From there, we will tailor simulated phishing/spear phishing e-mails that best represent the threats these groups are likely to face. This managed service is delivered in close consultation with our clients. User actions are tracked safely and baselines can be established and progress charted through regular assessments. Our expertise in delivering our managed phishing service is informed by our vast experience in performing real-world red teaming engagements.
Please get in touch with us for more information.