Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/29/2019
10:30 AM
Adam Marre
Adam Marre
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Creating a Security Culture & Solving the Human Problem

People are the biggest weakness to security breaches; people can also be your organization's biggest defense.

Through nearly a dozen years of experience at the FBI and now at Qualtrics, I've seen that many of the most successful hackers no longer first look for software vulnerabilities. They're coming after your people. The reason is simple: It's cheaper, it's easier, and it works.

Massive telecom data breach? Unprotected vendor server. Prominent media company? Stolen credentials. Website with compromising emails? Former contractor. All of these major breaches resulted from mistakes of individuals. The threat vector is you.

Despite years of education, millions of pages of policy, and pervasive annual mandatory trainings, 60% of security professionals rank employee carelessness or negligence as a top threat, up from 44% in 2015, according to the EY Global Information Security Survey. Fully 66% of all cyber insurance claims stemmed from employee negligence or malfeasance, according to a 2017 report from Willis Towers Watson.

But although we keep having human breaches, we haven't changed the behaviors that lead to these breaches. On average, 4% of targets in a phishing campaign will click, according to Verizon's 2018 Data Breach Report. Furthermore, people who have clicked once are more likely to click again.

Why? Because most modern workers think they know how to avoid security threats. We no longer have an awareness problem: Workers have heard the basics about phishing. We have a false confidence problem. Knowing about security threats is only half the battle. Employees also have to know what actions to take.

Awareness vs. Response
Qualtrics conducted a study of roughly 1,000 US adults to test two related, but significantly different points: awareness of phishing threats and appropriate responses to phishing threats. The gap was striking.

Awareness
We found that more than 70% of US adults knew what phishing was, and more than half said they knew how to avoid becoming a victim.

Appropriate Response
But when we asked harder questions from the same sample, we saw far less confidence. Only 10% of respondents knew the right way to determine if a link is legitimate. Equally concerning, one in three US adults incorrectly said that only clicking on links from people they know would protect them from falling victim to a phishing attack.

You are still the target, and the problem is getting worse because of the human gap. People develop false confidence when they’re aware of a problem but don’t know how to properly address it. Because security experts are still learning how to address human security vulnerabilities, even the best can substitute mere awareness for preparation.

Filling the Confidence Gaps with Elbow Grease
A lot of people purchase online training videos and throw them at the problem, or check the box for cybersecurity training by having their IT personnel provide basic reminders in training once a year. This kind of attitude can be even more dangerous than letting cybersecurity slip from top-of-mind. When companies focus on merely checking that box, they can lull themselves into a false sense of security, thinking their annual lecture or testing has prepared employees for future attacks.

If companies put as much thought, planning, and execution into helping their employees avoid cyber threats as they did creating firewalls and preventing software breaches, they would increase the security of their organization. But that seems like a lot of hard work for already overburdened security professionals. This could mean increasing training or implementing other processes for sharing information.

I have investigated dozens of cases where victims didn't click a link or download any file, yet they still were tricked by a phishing email and lost millions. Awareness training and tests are an essential part of securing an organization. However, the end goal should be to create a security culture, not to just make people more knowledgeable. Culture implies intrinsically motivated action, which is what companies need to protect themselves.

Start from the Top
The most effective training program in the world will have a hard time gaining traction among employees if they don’t see those precautions and practices being demonstrated by leadership. Without an example from the top, the environment for a security-minded culture to develop won't exist.

This culture is crucial for the same reason public health officials stress the necessity of herd immunity via vaccinations: If the bulk of a population is protected against a threat, that population has a much lower risk of being damaged by that threat. Exemplifying secure practices can help executives protect their workforce against breaches.

Leading the charge doesn’t have to take a lot of time or effort. It could be as simple as executives always wearing the security badges they expect employees to carry, or encouraging employee discussion during cybersecurity training.

Follow Up
Training or a phishing test is a great start, but what happens after that? Without following up on training, employees can forget crucial security measures, and the subject can drift into perceived irrelevance until the next year’s exercise.

Keep the message current by reiterating it throughout the year. Maybe that means instead of having one big training per year, you break it down into smaller quarterly training sessions. Maybe it’s having regular testing or routinely having conversations about cybersecurity. A combination of initiatives — an occasional newsletter with tips, regular training, etc. — can help foster a secure culture by imparting the severity of the problem and the necessity of every employee’s efforts to solve it.

Hardening devices and patching software are only part of the battle to secure your enterprise. Today, you must test and train employees and help them stay accountable for security practices. Each individual is a major threat vector to your organization, so you must create a culture of security and frequently reiterate the message. A security mindset in every employee is the only thing that will close the human security gap and the only way to truly protect your company.

Related Content:

Adam Marrè, CISSP, GCIA, GCIH, is a Qualtrics information security operations leader and former FBI cyber special agent. Adam has more than 12 years experience leading large-scale computer intrusion investigations and consulting as a cybercrime ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ChristopherJames
50%
50%
ChristopherJames,
User Rank: Strategist
2/13/2019 | 1:48:17 AM
Hacking people, not systems
There have been several similar cases in different security lapses incidences. Most of them involve individuals who were negligent in their line of work though their expertise was security. Some of them were too engaged in other affairs to keep up with stringent security measures whilst others were basically performing data breaches on purpose. 
markgrogan
50%
50%
markgrogan,
User Rank: Strategist
2/13/2019 | 1:05:00 AM
People can't do what they don't know
I think most laypeople are not aware of how much it costs to have proper security systems installed on their tech devices. I reckon that many people think that anything more than an anti-virus software is excessive! If we  want more people to buy into the security culture, we have to spend more time to educate people about it!
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2019 | 11:19:39 AM
weakest link
successful hackers no longer first look for software vulnerabilities. They're coming after your people. The reason is simple: It's cheaper, it's easier, and it works. That makes perfect sense. Exploit the weakest link: human beings.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19729
PUBLISHED: 2019-12-11
An issue was discovered in the BSON ObjectID (aka bson-objectid) package 1.3.0 for Node.js. ObjectID() allows an attacker to generate a malformed objectid by inserting an additional property to the user-input, because bson-objectid will return early if it detects _bsontype==ObjectID in the user-inpu...
CVE-2019-19373
PUBLISHED: 2019-12-11
An issue was discovered in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can trigger arbitrary unserialization of a PHP object from a packages/cms/page_templates/page_remote_content/page_remote_content.inc POST parame...
CVE-2019-19374
PUBLISHED: 2019-12-11
An issue was discovered in core/assets/form/form_question_types/form_question_type_file_upload/form_question_type_file_upload.inc in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can delete arbitrary files from the se...
CVE-2014-7257
PUBLISHED: 2019-12-11
SQL injection vulnerability in DBD::PgPP 0.05 and earlier
CVE-2013-4303
PUBLISHED: 2019-12-11
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-s...