Originally published at www.isaca.org
Bad things happen every day. The methods used to steal personal and business data cover a variety of techniques. Some are simply accidents, e.g., lost laptops containing databases of client details or emails sent containing personal data. Some techniques are much more sinister: using social engineering to trick victims into revealing their own information or stealing the “keys to the castle” by conning system administrators into entering login credentials for sensitive company resources into spoof sites.
Attacks have become more difficult to detect with traditional tools such as antivirus software. Cyberthieves are after information with employee and/or customer data making up more than 80% of breach focus. Intellectual property appears to be the next item on hackers’ wish lists. Sophisticated and complex patterns of infection and exposure make the battle against cyberthreats complicated.
Whatever causes a data breach, whether an accident or a deliberate act, technology is not always the answer. Being aware of the cyber security climate we live in is the beginning of building a culture of security. Being aware gives people the basic tools to make a stand against cyberthreats. No longer can anyone hope that an antivirus software or an intrusion protection system will keep information safe. Cybersafety has to be embraced by everyone in its entirety and this means being informed and aware.
Being Security Aware—Hacking the Human
Cyber security risk management, across all industries and across all vectors, accidental or otherwise, begins with an understanding of the problem at hand. Cybercriminals may be using more sophisticated techniques to get at valuable information, but they do use patterns that are successful for them, e.g., social engineering. Phishing, which uses social engineering techniques at its core, is an incredibly successful medium for a cyberattack entry point. Many malware infections begin with a phishing email. According to a quiz given by security firm Kaspersky, about 74% of Internet users cannot spot a phishing attempt. Knowing what a phishing email or a phishing web page looks like could stop a malware infection before it even begins.
Security Awareness Training
Making users aware of their own actions and of others’ malicious intent is now more important than ever. In addition to having in-house training sessions on security and how it can impact organizations, external experts can also be enlisted. There are a number of firms that offer security awareness training courses. These curricula are there to augment the use of a technology approach to preventing security breaches. The courses, often online and performed remotely, create programs tailored to an organization’s needs.
Some ideas for training a workforce about security include:
- Designating security days when each department looks at what is/has happened in their department in the last month with regard to security issues
- Designating a security focus month where attention is focused on particular issues, e.g., not sharing passwords
- Using social engineering testing that can simulate attacks types, such as phishing
- Including everyone in training, not just IT, and making it as interactive as possible
- Focusing not only on compliance and security; but taking a wide-spectrum approach to creating a security culture
- Getting end users to brainstorm ideas for training—everyone is at risk from cyber security threats and everyone has a vested interest in finding ways to raise security awareness
- Sharing stories and using them to teach best practices
As more people are held for ransom by hackers, it can no longer be assumed that software will protect us. Everyone has to take a stand and this requires knowledge and insight. Hackers understand their prey very well, and an effective defense is to combat them with their own methods by understanding their tricks and techniques.
About the Author
Avani Desai is a Principal and the Executive Vice President at Schellman. Avani has more than 15 years of experience in IT attestation, risk management, compliance and privacy. Avani’s primary focus is on emerging healthcare issues and privacy concerns for organizations. Named as one of the 2017 Global Leaders in Consulting by Consulting Magazine she has also been featured and published in the ISSA Journal, ITSP Magazine, ISACA Journal, Information Security Buzz, Healthcare Tech Outlook, and many more.More Content by Avani Desai