How to Fortify Your Organisation’s Last Layer of Security – Your Employees

April 2020

Many organisations continue to place more trust in technology-based solutions than on training their employees to be more aware of the threat landscape and able to recognise the red flags in cyber breach attempts. But when trained appropriately and incentivised, they can be part of a more robust solution to many problems.

Read this blog, including content from our partner KnowBe4, to learn how you can take your employees from liabilities to assets. Including five recommended actions to fortify them into your organisation’s last layer of security.

The Human Element of Security is Being Seriously Neglected

Organisations tend to see their employees as liabilities rather than as assets, who, when trained appropriately and incentivised, can be part of a more robust solution to many problems.

“People impact security outcomes, much more than any technology, policy or process,” Gartner explains.

“The market for security awareness computer-based training is driven by the recognition that, so long as technology-based security systems do not provide perfect protection, people play an undeniable role in an organisation’s overall security and risk posture. This role is defined by both inherent strengths and weaknesses: people’s ability to learn and their capacity for error.”

There’s a Right Way and a Wrong Way to Train Employees in Cyber Security Awareness

The wrong way approaches training as a once-a-year or semi-annual exercise in which employees are gathered in the break room with snacks and subjected to a long, or sometimes too-brief, PowerPoint presentation. This method treats employees as a passive audience and inadequately engages them. Done wrong, security training feels more like punishment than an opportunity to teach and inspire employees to be active contributors to their organisation’s safety and well-being.

The wrong way also reflects a one-size-fits-all organisational mindset, which fails to take into account that people have various strengths and abilities and respond differently to a range of methods by which training material is presented. Another key flaw of the breakroom approach is that the impact of training gets measured in terms of attendance instead of content retention and behaviour modification. As a result, organisations tend to be disappointed by statistically low levels of improvement in behaviour; often causing senior executives to dismiss the whole field of security awareness training rather than question the methods by which it is delivered.

When it’s done properly, security awareness training is parcelled out in more digestible portions that expose employees to content with greater frequency and variety so it can have a deeper impact. This approach treats training more as a carrot than a stick and is interactive and role-based, making it feel more relevant and worthwhile to employees. And because it’s more challenging, it engages the minds and memories of workers much more effectively than when they are forced to passively sit through a presentation once a year or even at more regular intervals.

Security awareness training never occurs in a cultural vacuum. As well as changing employee behaviour to be less susceptible to social engineering, it’s advisable that an organisation’s risk management department evaluate the organisational culture and adjust the messaging appropriately. For example, an authoritarian corporate environment in which employees are expected to simply follow instructions without questioning how a task fits into a broader context is likely to require more effort to modify an employee’s behaviour or default responses to things like phishing emails than a culture that promotes cooperation and critical thinking and recognises the value of getting managerial and staff buy-in for new initiatives.

How to Change Employee Behaviour to be Less Susceptible to Social Engineering

The central goal of security education is to modify an employee’s behaviour so he or she doesn’t fall for social engineering

Social Engineering — the art of manipulating, influencing or deceiving somebody to take an action that isn’t in either his or his organisation’s best interests.

The most common examples of social engineering are phishing and spear-phishing attacks, which use phone, email, postal services or direct contact to try to trick people into doing something harmful. The aim of most social engineering schemes is to get somebody to click on a hyperlink or open an attachment sent in an email that will then give the bad guys access to the user’s computer.

“Interactive computer-based training is a central component of a comprehensive security education and behavior management program,” according to Gartner.

Training exercises that tell a compelling story and put the trainee in the position of somebody who has been targeted, such as a company’s controller, engage all the senses by making the trainee choose the best course of action in response to a suspicious email.

When he has the opportunity to select the wrong response to an attack, “that employee definitely has an ‘Aha!’ moment because a big screw-up caused major problems” for his organisation, says Kevin Mitnick, Chief Hacking Officer for our partner KnowBe4, provider of new-school security awareness training.

These exercises teach employees to carefully check all the details in an email for tell-tale signs of potentially malicious content: a “From” address with a misspelling, a hyperlink that when you pass your cursor over it reveals the actual URL destination you will be taken to (and that will infect your computer), and the suggestion of negative consequences if an action isn’t taken quickly and before confirming the email’s veracity. Making training interactive ensures it takes deeper root in an employee’s mind.

The ultimate goal of simulated phishing attacks is to train people’s reflexes, so they learn the optimal response to such emails. “That means putting somebody in the situation where they’re having to make that decision and use that behaviour that we actually want somebody to have embedded over and over again so it becomes something that doesn’t feel uncommon or different from their normal decision-making, but is integrated with and will just naturally become their pattern of habit.” says Perry Carpenter, chief evangelist and strategy officer at KnowBe4.

The idea is to repeat variations of the exercise continuously so a trainee has a chance to fail in a safe environment and be redirected to a form of corrective behaviour, Carpenter says. “Even more important is to have multiple successes, multiple times to show themselves that they know how to detect a phish and report it so they have that behaviour ingrained within the way that they do business every day.”

How to Change Organisational Culture

Changes in behaviour cannot be sustained by an organisation’s culture without continuous reinforcement. For example, you can reduce the rate at which an employee clicks on a phishing email link to the low single digits from an initial 27% average percent level after training and repeated testing. However, “if you just leave that alone and never train them again, you’re going to see it creep back up for a couple reasons,” Carpenter warns.

First, the stimulus for reinforced behavioural patterns disappears once you take away the immediate feedback an employee gets when s/he successfully recognises a simulated phishing attack. Second, on the organisational level, the natural churn of personnel as some people leave the organsation while others join it translates to a smaller percentage of employees who have been trained rigorously in security awareness.

Then there is behavioural drift over time because nothing is being done to help employees sustain new habits they have learned regarding an approach to emails they receive. Think of seasonal circumstances that can push against an employee’s heightened security awareness and his resulting behaviour. For example, “I’m in retail. It’s the holiday season. I’m getting 300 more emails a day than I naturally would get, and I’m just trying to knock stuff out, so I’m naturally going to get a little more careless,” Carpenter says.

Given that the ultimate aim is to retrain employees’ reflexes regarding online behaviour, it’s imperative that managers respond to training results in a constructive, nurturing way instead of a punishing one. “They’re failing because they’re human, and we’re putting them in a situation that tests their humanity in a lot of ways. And we’re putting them in that [situation] because we know that this is the natural default behaviour that people have and we’re trying to shift it.” says Carpenter. The key is to turn an employee’s mistakes into teachable moments that further strengthen an organisation last layer of defence.

Recommended Actions

1. Be realistic about what is achievable in the short term and optimistic about the long-term payoff.

If your goal is behaviour change, focus on 2 to 3 behaviours for 12 to 18 months at a time. You can’t effectively train on everything.

2. Plan like a marketer, and test like an attacker.

Starting with communications such as executive messages and videos, department manager messages and security town halls, conduct phishing and social engineering testing, and reinforce through regular newsletters and digital signage.

3. View awareness through the vision of organisational culture.

Focus on understanding the different personalities, drivers and learning styles within your organisation. Complete a list of recommended tasks that are designed based on feedback in your company’s staff questionnaire. This will let you personalise your approach and get the most out of your Security Awareness Program. Tasks may include engaging your organisation’s stakeholders, creating and completing a baseline phishing campaign, communicating the Security Awareness Program to your employees, reviewing and selecting a primary training module, and creating training campaigns for your quarterly training modules.

4. Leverage behaviour management principles to help shape good security hygiene. 

Embrace best practices such as (a) formulating goals before starting, (b) getting the executive team involved, (c) prioritising and making your messages and training relevant, (d) phishing frequently, at a minimum of once a month and (e) testing frequently to build security reflexes.

5. Have a vision of what “good” looks like for your organisation.

Build a network of “security champions” inclusive of all roles and geographic regions across the enterprise. Present to candidates the role of a champion as a developmental opportunity and integrate it into performance and career development plans.

Changing employee behaviour to be less susceptible to social engineering requires a consistent and repeatable approach to security education. Security awareness training done right engages users and moves their natural “reflexes” from being unaware to being proactive and competent in identifying potentially hazardous social engineering tactics. Successful behavioural change starts with clear communication to employees on why security education is important that also aligns with an organisation’s unique culture and workplace dynamics. Rolling out a realistic security awareness training program will empower users to protect themselves and be part of the solution in fortifying an organisation’s last layer of security.

Our partner KnowBe4 is the world’s largest integrated Security Awareness Training and Simulated Phishing platform.

Realising that the human element of security was being seriously neglected, KnowBe4 was created to help organisations manage the problem of social engineering through a comprehensive new-school awareness training approach. This method integrates baseline testing using real-world mock attacks, engaging interactive training, continuous assessment through simulated phishing, and vishing attacks and enterprise-strength reporting, to build a more resilient organisation with security top of mind.

Tens of thousands of organisations use KnowBe4’s platform across all industries to mobilise their end users as a last line of defence and enable them to make better security decisions.

Domain Impersonation: The Popular New Tactic for Phishing Attacks

Domain Impersonation: The Popular New Tactic for Phishing Attacks

Domain impersonation is increasingly becoming a problem which targets businesses and their customers. Phishing attackers are now advancing their level of sophistication by utilising domain impersonation as part of BEC scams that can result in CEO fraud, malware infection, or ransom.