Ask a Security Expert: ‘When End-User Security Awareness Fails, What’s Next?’

According to Gareth Brown, director of business IT security and support firm Sytec, this is one of the most common questions he receives from clients. Unfortunately, he has a good point. Employees are going to click on things they shouldn’t — despite what businesses do to prevent it. However, it’s important to remember that humans cause these issues because of simple curiosity, thus presenting the need for continuous training to override human nature. 

Cybercriminals target businesses through their end users, often using user information as shared on social networks and other locations online to gain their trust. When end users unwittingly click phishing links, open malware attachments, or give up credentials and other sensitive information online, cybercriminals can bypass existing layers of security to successfully breach organizations’ networks.

According to the Verizon 2018 Data Breach Investigations Report, “companies are nearly three times more likely to get breached by social attacks than via actual vulnerabilities, emphasizing the need for ongoing employee cybersecurity education.” Although end users are an organization’s first line of defense, it’s clear there is still a long way to go.

Security Awareness: Crucial, But No Silver Bullet

In today’s business world, end-user security awareness – while not foolproof – is critical in bolstering a company’s overall security posture. Cybersecurity safety habits should not be considered common knowledge, and businesses should work to make sure their employees, from top-level executives down to new hires and temps, receive the proper training, arming them with the tools needed to recognize potential threats before any damage is done.

According to a recent survey of small and midsize businesses, 79 percent of IT decision-makers globally don’t believe their companies are completely prepared to protect against cyber threats. There may be several reasons for this number, but one could be the level of attention to education that organizations provide. While nearly all organizations provide some level of security training (nearly 100 percent), only 39 percent continuously train employees on best practices for cybersecurity throughout the duration of employment. Further, 36 percent train employees only once, either during on-boarding or after a security breach takes place.

Unfortunately, modern attacks are designed to prey on human nature. Say, for example, you work with a company that has implemented a new security-awareness program, has provided resources to help employees recognize and better navigate potential risks, and you have full support from upper management. Even with all of the odds in your favor, you might still fall victim to a basic phishing threat sent to an unsuspecting employee who was caught off guard.

Organizations that tend toward proactivity, rather than reactivity, will do best in the face of a data breach.

In order to be ready for the next attack, work with customers to develop a breach response plan that includes the following elements:

• A process to identify all critical data required for business operations.
• A way to ensure critical data is backed up offsite in an appropriate location.
• A communications plan for those that will manage the incident response and business-continuity process.
• Training for those individuals using the plan so everyone knows their roles and responsibilities when bringing operations back online.
• Identification of a secondary site, whether physical or cloud-based, to run business until the breach is settled.
• A plan to hold after-action meetings to review the breach and the actions taken to resolve any issues and improve the team’s performance.

In addition to having a solid response plan in place in case of an attack, there are proactive steps organizations can take to be sure they are ready to handle what happens when awareness training fails. Cybercriminals are more sophisticated than ever, and social attacks like phishing are at the top of their list. To combat these attacks, neither security technology nor awareness training is enough.

In my experience, a key formula for success includes:

• Annual security-awareness training.
• Quarterly updates, blogs and lunch-and-learns to keep training fresh.
• Employment of security technologies to stop malware and block malicious sites and URLs.
• Anti-phishing training, which allows security teams to send fake phishes to train staff, to help reduce the impact of the most used cybercriminal tool to gain a foothold into organizations.

MSPs and security teams must always account for human nature; however, with the right processes and technologies in place, businesses can become resilient to these attack techniques and more successfully safeguard their data.

Gary Hayslip is responsible for the development and implementation of all information security strategies, including Webroot’s security standards, procedures and internal controls. As CISO, he also contributes to product strategy to guide the efficacy of the Webroot security portfolio.