Shock Treatment: Combatting Infosec Negligence

Boring training videos, box-ticking to meet regulations, blacklisting software at the expense of productivity: large enterprise has been reliant on these methods of “cyber security control” for too long. They are outdated and don’t work. Cyber criminals don’t follow the steps outlined in a training video from 2006—they innovate, manipulate, penetrate and steal information in many different ways and by many different means.

Internally, employees can also represent a real and significant danger to corporate information—whether by accident or design—they are the insider threat. Think about it this way. Dropbox might be an easy way to transfer a file to a client—but has it been sanctioned by IT? Ask every knowledge worker in a company that question, and you can guarantee you won’t get a single, clear cut answer. In fact, according to Code42’s 2016 Datastrophe Study, 22% of knowledge workers surveyed said their IT department doesn’t know they use third-party cloud sharing solutions.

So in 2016, what are the right ways to educate your employees about data security from both an internal and external perspective?

Shock therapy
We briefly covered that training videos and generic presentations don’t work that well. Within 10 minutes, staff will have switched off and words will be going in one ear and out of the other—unless you’ve invited Snowden himself to present the training.

To encourage employees to take responsibility and ownership of sensitive corporate data, a more direct approach is needed. Fortunately, cybersecurity consultancy and threat-based penetration testing is something we’re well versed in at First Base Technologies, and we’d recommend the following to drive employee awareness:

• Faking data loss—by targeting specific departments (or even the entire company) with a well-designed program of phishing attacks, you can easily demonstrate the real risk to the business and start the process of education. No information is actually compromised, and the affected employees are told it’s been a simple training exercise. I can guarantee that over time, with the right messages it’ll hammer home the importance of double-checking whether to click that link, install that file, or respond to that unknown request in the future. Think of it as the cyber security equivalent of regular fire drills.

• Physical penetration testing—this involves hiring third-party security consultants to visit an office disguised as “help-desk” computer engineers, visitors or even cleaners. In actuality, they are penetration testers evaluating both the physical security of an organization and its network infrastructure, with the goal of demonstrating unauthorized access to sensitive information. The resulting report, often accompanied by video footage of the exercise, provides valuable guidance on security weaknesses and remediation. Staff is briefed on what happened and the potential gravitas of the situation—providing another important lesson as a result.

• Company-wide warnings—as information security professionals, we are well versed in the latest threats and the results of high-profile breaches. And thanks to the recent media agenda, it does seem to be filtering down to non-IT folk too. According to Datastrophe, 74% of knowledge workers say that IT staff’s ability to protect corporate and customer data is very important to their company’s brand and reputation. To communicate these facts to the remaining 26% of employees, breach and security risk information should be regularly delivered to staff at all levels.

Education. It really is the most important weapon in IT and security professionals’ arsenals. It’s a fact that in 2016 and beyond, organizations are under attack pretty much constantly, and if employees aren’t wise to this, the insider threat they present is realized with devastating results. With Datastrophe highlighting that 36% of knowledge workers think the business they work for may be at risk of a public data breach in the next year, it seems people are fortunately starting to understand the threat. And by IT and senior management enacting some of the training methodology above, knowledge workers will start getting well versed in information security practices too.

Peter Wood, Cyber Security Consultant, Code42

[Cloud Security Alliance Blog]