Security awareness training: Trick or treat

As Halloween approaches, real-life cybersecurity horror stories abound. The Equifax breach threatens most of our identities. The KRACK vulnerability makes the Wi-Fi networks we live on unsafe. Our vulnerable electronic voting systems threaten our democracy.

Breach fatigue is real, not only among consumers, but businesses as well. In fact, most expect breaches to be inevitable. According to a SailPoint survey earlier this year, three out of five companies expect to be breached with 33 percent believing they won’t know they are breached when it happens.

Most risks are created by company employees. The same SailPoint survey found that 55 percent of IT respondents believe one of the key reasons that non-IT departments introduce the most risk is that they often lack the understanding of what actions and behaviours are potentially hazardous.

One of the biggest reasons that employees are unaware of their risky behaviour is social engineering. According to Wikipedia, social engineering “refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional ‘con’ in that it is often one of many steps in a more complex fraud scheme.”

As humans, we are trusting and want to be helpful by nature. Hackers know this and have been perfecting several social engineering techniques to exploit this psychology for a long time as part of their craft. Examples of these techniques include:

Phishing. One of the most common social engineering techniques, phishing is when a scammer sends an email or text designed to fake people into believing it comes from a legitimate entity in order to get them to share personally identifiable information, such account numbers, Social Security numbers, or login IDs and passwords. Scammers the use this information to steal money or identities or both. The good news is that major email and browser providers like Google and Microsoft have upgraded their tools to better spot and filter out phishing attacks, but expect scammers to adapt and evolve.

Baiting. In many ways, baiting is similar to phishing attacks. The difference is that hackers use this technique to promise of an item or good to entice victims. For example, baiters may offer free music or movie downloads if they provide their login credentials to a certain application or web site. Baiting attacks also enter the physical realm, for example leaving a USB thumb drive that is loaded with malware laying on the ground or on a desk. The idea is that someone’s curiosity will get the better of them and he or she will plug it into a computer, which is then infected with the malware.

Pretexting. This is a technique where attackers focus on creating a fabricated scenario that they can use to try and steal their victims’ personal information. In more advanced attacks, hackers will try to manipulate their targets into performing an action that enables them to exploit the structural weaknesses of an organisation or company. A good example of this would be an attacker who impersonates an external IT services auditor and manipulates a company’s physical security staff into letting them into the building.

Tailgating. Also known as “piggybacking,” this type of attack involves an unauthorised individual following an employee or other authorised individual into a restricted area. For example, an attacker may impersonate a courier and wait outside a building. When an employee opens the door to their office area, the attacker asks that the employee hold the door, thereby gaining access off of someone who is authorised to enter the company.

These are just a few of the numerous techniques hackers use. New ones emerge regularly, and hackers modify existing techniques based on how people respond to or resist older ones. Hackers are also putting artificial intelligence to work to automatically change the models against which techniques work.

This has made security awareness training mandatory for companies -- something that needs to be done continuously. We’re currently in the midst of a SOC 2 Type II certification audit, which requires us to attest to have conducted security awareness training. My focus is on taking a different approach in order to make it most effective. In considering approaches, what it’s boiled down to is whether to train employees by tricking or treating them.

As the data points above show, the key challenge is to change employee behaviour, which means changing the culture so people don’t fear cybersecurity practices and really feel like they are doing their jobs in a secure manner every day. A popular approach has been for companies to trick their own employees through simulations of the techniques described above.

These certainly should be considered, but should be well-balanced with “treating” approaches. These might include:

Visuals. Let’s face it, people get bored with endless text and statistics about social engineering attacks. People also forget stuff. Rather than overburdening people with information, provide powerful visuals that employees will remember. For example, I’ll capture and sanitise an actual social engineering attack in a screenshot to make it really easy to understand.

Transparency. Make sure employees know when training is going to be happening. If you phish or bait them before they understand what it is or means, it can cause employees to fear cybersecurity.

Praise. As opposed to creating more fear about mistakes or bad behaviour, you’ll want to praise employees for doing things right and not admonish them for getting things wrong. This just leads people to circumvent systems and not participate in a daily awareness of their surroundings and technical controls on their computers.

This truism can’t be stated enough: Your organisation's cybersecurity is only as strong as the weakest link. Security awareness training is key to ensuring your employees are not that weak link. By carefully thinking through that trick or treat balance and erring on the side of the latter, you’ll find that the effect is a change in culture where employees see training as something that they want to do rather than need to do.

What “treating” approaches have worked for you?

Brian Rutledge, security and compliance engineer, Spanning
Image source: Shutterstock/lolloj