Regardless of what technologies are used to protect an organization, user education is still one of the most crucial components of security strategy. Human error is often cited as one of the most common reasons for a security incident by businesses world-wide, across industries.
According to the 2017 BakerHostetler Data Security Incident Response Report, 32 percent of security incidents were initiated by human error. And a survey of 134 Black Hat attendees in 2017 found 55 percent of respondents had experienced a cyber attack, and 84 percent said those incidents were the result of a user mistake.
The numbers underscore the continued problem of a lack of understanding about basic risks by employees. But before we go blaming users, think again. According to Lance Spitzner, director of the SANS Institute’s security awareness program, the onus for user education lies squarely with the leadership in charge.
“When employees don’t change, instead of making them feel stupid, we should take a step back and say, ‘Maybe we’re the problem,’” said Spitzner.
Spitzner and other awareness experts gave us a list of common user behaviors that continue to challenge security and how organizations can change their communication around them to spark change.
Moving Too Fast to Be Secure
Today’s employees are more stretched than ever with increased responsibilities and the ever-present demands to do more with less. That’s a problem for security because rushed employees aren’t secure employees, according to Victoria Thomas, a security awareness consultant who has created training programs for large companies, including Kimberly-Clark and GM.
“There are a lot of priorities competing for their time and attention,” said Thomas, now founder of Hypervigilant Awareness Solutions, a consultancy. “People are not as tuned in to secure behavior. And that is how cyber criminals are able to get in. A common scenario is for a criminal to call and say ‘Hey, I need you to send me this information right away.’ Cyber criminals know people are in a time crunch and they take advantage of that.”
These kinds of strategies are referred to as social engineering scams by security professionals, and they aim to catch employees off guard by asking them to do something that is not secure in a rushed situation. For example, someone might call pretending to be from the help desk department and ask the employee for their password in order to address a made-up, but urgent-sounding, problem. Other social engineers “tail gate” into secured entry ways by acting like an employee that has lost their badge.
Thomas said she thinks bringing scenarios home to employees is most effective. An employee wouldn’t let someone they don’t know into their home, for instance, so why allow it at work?
“I don’t talk a whole lot about work, I tend to focus on them as individual at home,” she said. “I am an advocate for that approach because I have seen it work. If you train people for behaviors at home, it will translate into the workplace.”
Takeaway: Educate employees that no situation ever requires an immediate action if security is at risk. Develop a process for employees to verify the help desk call is real by touching base with known internal members of the IT department, or a supervisor. Educate them to firmly, but politely, let a tailgating office mate know that it is against corporate policy to allow someone in without an authorized badge, or verification from another employee.
Careless Sharing of Information
The busy, rushed environment at work can also translate into careless data sharing practices, according to Spitzner. Sharing sensitive corporate documents between work and personal email accounts is one example.
“Are they safely disposing and sharing?” said Spitzner. “it’s important that they understand how to do that because people often are not simply because they are trying to do their jobs.”
Another common slip up is using a compromised USB drive to travel with data that then infects a corporate machine.
Takeaway: Again, it is important to understand that users are not purposely trying to be careless. They are often transferring data in ways that are unsafe simply to be efficient and get their jobs done in a variety of locations. Educate them about safe data handling and disposal practices and offer them suggestions for ways to secure allow their data to travel with them.
Taking the Bait in a Phishing Email
Phishing has been around since the dawn of email. And as old as it is, it is still a pervasive, and effective, attack vector for criminals. According to Verizon’s most recent Data Breach Investigations Report (DBIR), phishing accounts for 98 percent of social engineering attacks. And phishing emails now often deliver a newer threat to organizations: ransomware. Recent numbers from PhishMe, an awareness training products vendor, claim 93 percent of phishing emails contain encryption ransomware.
One thing not to do is inundate employees with emails, according to Jason Hoenich, a security awareness expert and founder of Habitu8, an awareness training organization.
“For a long time, people wanted to send an email out when there was a phishing attack. Users are already inundated with data and we have to assume that and design around that."
Takeaway: Education around phishing should still be an integral part of your awareness efforts. And as phishing becomes more sophisticated and targeted, new techniques crop up. Keep employees up to speed on what the latest types of phishing baits are out there by providing examples.
Thinking “That’s Not My Job”
Users sometimes default to a “it’s not my job” mentality when it comes to security. Anything from failing regularly update their work-issued machines with the latest patches to neglecting known company policy because they think their responsibilities are an exception to the rules.
“People often say ‘It’s not my job, it’s IT’s job,’” said Thomas. “Or they think the technology will catch it. This is a major hurdle in awareness because people don’t see themselves as responsible or accountable for protecting information.”
Another area where this is a challenge is reporting insecure behavior among other employees. User are sometimes inclined to not mention when they see something because they don’t want to get someone in trouble. But a policy of “see something, say something” should be encourage, said Thomas.
Takeaway: Thomas has seen much success in creating awareness programs by hammering home the message that security is everyone’s job. Creating a program that gains buy-in from all employees and gives them incentives for following best practices for security, and reporting bad security practice, should be implemented.
Sharing Too Much on Social Media
Most organizations have social media use policies in place by now and employees have come to better understand how to use social media securely when it comes to brand management and corporate reputation. But they are still sharing too much, according to Spitzner. And depending on their company, or role, they leave themselves open to exploit.
“Employees are still posting too much personal attacks about themselves,” he said. “And that information can be used in targeted attacks where that information is used to create a dossier about that person. It makes it easy for nation state or competitor to create a targeted attack.”
Takeaway: This challenge is more of a concern that is role and organization-type dependent. But certain types of industries can be targets, particularly ones where the intellectual property is related to national concerns like defense. Executives are also at high-risk, noted Spitzner. A type of phishing attack that targets executives known as whaling often starts by developing a background profile on a CEO or other high-level employee. These employees should be carefully educated about what information is appropriate to share on social media – and what should stay out of public view.