Organizations are starting to realized, given the news regarding data breaches over the past couple years, that your security perimeter can be as strong as Fort Knox, but all it takes is one employee to click on a malicious link and none of that matters. Everything you have done to secure your network and all of your expensive security controls have gone out the window. As social engineering attacks evolve and become more sophisticated, it is imperative to have a Security Awareness Program in place at your company. Today, we’ll detail some different tactics to keep employees engaged and keep security at the forefront of their minds, both personally and for your organization.
Security Awareness Training
This may be incredibly obvious, but your Security Awareness Program should be centered around some sort of formal security awareness training. This can take the form of an online computer-based training (CBT) or in-person training. As we have previously discussed, we highly recommend having a penetration tester conduct a security awareness training. This helps with employee engagement and has been proven to help employees retain the information they are learning, as opposed to just clicking through the slides and calling it a day. Additionally, when you have an outside security professional teaching your users, they tend to be taken a bit more seriously than internal trainers and can leverage real-world examples they’ve encountered or even the results of your most recent social engineering assessment.
Regular Phishing Simulations
A popular approach that organizations are taking to continuously assess their users’ susceptibility to email-based phishing campaigns is some kind of internal phishing simulation platform (such as KnowBe4). These tools can be used to configure phishing campaigns that are sent out to your user base on a regular basis and measure your employee response for analysis and reporting. Did 50% of your users click on a link in a rudimentary phishing email? Then you’ve probably got work to do. Have a lower percentage of your users fallen for it this month after you launched a new security awareness training initiative? All of these questions can be answered by a phishing simulation tool with the added benefit of keeping your users in a slightly elevated state of alertness.
Social Engineering Assessments
Regular phishing simulations are great, but unfortunately they only cover one basic type of phishing attack that is out there. It’s important to understand that there are much more sophisticated types of social engineering attacks that your users may see, and these attacks are becoming more and more common. These advanced attacks may be specially crafted spear phishing emails or combination email/phone-based attacks. More advanced social engineering assessments that combine all these tactics into cohesive campaigns that emulate real-world threat actors help provide a more realistic assessment of your company’s risk posture. Once an employee falls for it, this type of engagement will also go further than a basic phishing simulation that just gathers statistics, as the engineer conducting it will assess the internal network once they gain a foothold on an individual’s computer. Are there any mitigating controls in place to reduce the impact of a successful phish or could an attacker quickly escalate?
Policies and Procedures
Your organization should have policies and procedures in place that detail the overall Information Security Policy as well as the specific expectations in regards to social engineering. Your employees should be aware that there are policies and procedures in place for how to handle a suspicious email, how to proceed in the event that they have clicked on a malicious link, how and to whom should these things be reported. While the policies and procedures are often overlooked, by ensuring your employees acknowledge and understand them, you have taken another step to help improve your employees’ security awareness. If these documents are well known to your employees, attempted phishing attacks can be identified and reported earlier, giving you a better opportunity to stop these campaigns before they cause damage.
Ultimately, your employees are and will continue to be the weakest link when it comes to your company’s security. By spending the time and money to educate and train your employees, you are hoping to raise the bar for security and create a culture of security awareness. While no one is immune from being manipulated via a social engineering attack, knowing the potential indicators and understanding how to react greatly reduces the risk of your employees falling victim.