Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Reducing the risk that your people pose to your organization

By James Moore.

Increasing reports of compromises by well-funded and resourced attackers are raising the profile of cyber security to such an extent that headlines of data breaches are becoming mainstream. On a regular basis, reports are being released showing the skill and persistence of attackers. Advanced attacks such as spear phishing, watering holes booby-trapped with custom malware and zero-day exploits, even entry via supplier links are all being reported on an almost weekly basis. And all of these attacks have one thing in common - they target individuals.

Generally, we still see that most organizations rely on traditional security controls in the form of technology such as anti-virus, firewalls, SIEM etc to protect their critical assets. However, the increasing importance of employee security awareness is often overlooked and instead only basic awareness training is given, focussing available resources on deploying and testing traditional security controls.

People and process are frequently disregarded when it comes to improving security posture, partly because the security risk they pose to an organization is difficult to measure and track. This a crucial issue with cyber security and has been for many years. Those organisations that take a traditional risk-based approach to security will struggle to get buy-in from senior management to address a risk that they haven't been able to quantify, or even prove exists in many cases.

The problem is that as the perimeter security of organizations increases, attackers are looking away from penetrating hardened external infrastructure and technology to a much weaker area: employees. This is for the simple reason that an organization that already recognises the need for technology and security solutions will, for the most part, harden their perimeter security to the point where an attacker's easiest way in is to target the employees.

At this stage, not improving the security of personnel and processes will almost entirely undermine the investment in most technology-based solutions, as an attacker will just step over them.

With so much information regarding an organization’s employees available online, the most common way to exploit employees in an organization is a phishing email that targets the user and attempts to attract them to click on a link or attachment. These can be anything from promises of deals or offers to emails that purport to be invoices or banking statements. Phishing assessments against employees have shown that as many as 60 percent to 90 percent of employees are susceptible to these attacks: effectively allowing an attacker to jump right over the traditional security controls that so many organizations are still heavily investing in and relying on.

To combat this, practical employee security awareness training needs to happen frequently in addition to the traditional awareness training most organizations already use. Managed phishing assessments, for example, act as a 'cyber fire-drill' for employees, regularly exposing them to various realistic attacks but in a controlled environment.

One of the interesting parts of these engagements is monitoring what users do when they do actually detect an attack: often the correct process to follow isn't known. This brings in the second critical factor: process. When employees fail to report attacks to the correct business department, it results in a greater exposure than an organization would have otherwise had.

Regularly exposing employees to controlled attacks not only teaches them how to spot them, but also hammers home the security process to follow, dramatically reducing the organization's exposure to attack.

Top five tips to reducing a hacker's attack surface:

  • Do not rely solely on security technology;
  • Teach employees to think before they click; security technology will not stop every malicious email getting through, therefore employees must be vigilant;
  • Get employees to recognise bogus emails and not click an un-trusted attachment or link;
  • Carry out regular phishing assessments;
  • Train staff in the proper process to report phishing emails and who to notify in case they clicked purposely or by error; ideally to be carried out within 15 minutes.

The author
James Moore is senior consultant for Phish’d by MWR InfoSecurity.

•Date: 2nd October 2014 • World •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here