- Email: [email protected]
Making security awareness training work
Feature industrial positions. In addition to a PhD in cyber-security, he holds many professional certificates such as GREM, CISM, CISSP and CCFP. He has served as an expert witness, cyber forensics analyst and malware researcher with leading players in cybersecurity and e-commerce.
References 1. Liu, C. ‘Securing networks in the Internet of Things era’. Computer Fraud & Security, Apr 2015, pp.1316. Accessed May 2016. www. sciencedirect.com/science/article/pii/
S1361372315300282. 2. Daryabar, F; Dehghantanha, A; Udzir, NI; bin Shamsuddin, S. ‘Towards secure model for SCADA systems’. In Proceedings Title: 2012 International Conference on Cyber-security, Cyber Warfare and Digital Forensics (CyberSec), 60-64 (IEEE, 2012). doi:10.1109/ CyberSec.2012.6246111. 3. Oriwoh, E; Jazani, D; Epiphaniou, G; Sant, P. ‘Internet of Things Forensics: Challenges and Approaches’. In Proceedings of the
9th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing, 608-615 (ICST, 2013). doi:10.4108/icst. collaboratecom.2013.254159. 4. Tankard, C. ‘The security issues of the Internet of Things’. Computer Fraud & Security, Sep 2015, pp.1114. Accessed May 2016. www. sciencedirect.com/science/article/pii/ S1361372315300841.
Making security awareness training work Tracey Caldwell, freelance journalist Most security experts would agree that the weakest link in the security chain is human. There is an increasing acknowledgement that all employees need to have some level of understanding of the part they can play in keeping an organisation’s systems and data secure. Many organisations are providing security awareness training but there is real concern that this is simply not working. In fact, a recent survey by Axelos has found that professionals responsible for security awareness training were reporting that the training was largely ineffective.1 Axelos, a joint venture of the UK Government and UK firm Capita, which produces the Resilia best practice solutions, questioned 100 executives responsible for information security training in organisations with more than 500 employees. Only a third rated their training as ‘very effective’ in reducing the chances of an information security breach; less than half (42%) said their awareness learning is ‘very effective’ at providing general awareness of security risks; while fewer than a third said their cyber-security awareness training is ‘very effective’ at changing staff behaviours in relation to information security. This is against the backdrop of the fact that companies that provide security awareness training are still in the minority. In fact a quarter of companies never carry out training to 8
Computer Fraud & Security
help employees spot email cyber-attacks and a quarter do so only once, when the employee joins the company, according to Mimecast, which conducted a survey of 436 IT experts at organisations in the US, UK, South Africa and Australia in March 2016.
Answers to the question: ‘How frequently do you train your employees to spot email cyberattacks’. Source: Mimecast.
Tracey Caldwell
Even where training is provided, it is widely failing to do its job. Ian Kilpatrick, chairman of the Wick Hill Group, says: “There is plenty of training available; however, there is a significant difference between training staff and changing behaviour. Many organisations can waste money training staff and fail to manage the follow up to ensure that the training is effective in both the workplace and in the individual’s approach to security. Because of the mix and overlap between work and home, if you don’t change home security behaviour, it is hugely more difficult to effect change in the office.” He warns: “One-off training, while helpful, can create a false sense of security. Over time, staff can and will drift back into old insecure habits.” June 2016
Feature “Many organisations can waste money training staff and fail to manage the follow up to ensure that the training is effective in both the workplace and in the individual’s approach to security” Security awareness training is often targeted at one group of staff or another. However, the key to delivering effective security awareness training is to ensure that all staff access it, as vulnerabilities may lie where least expected. Dawid Kowalski, technical director EMEA at FireMon, points out: “Even personnel with access to sensitive data, where one could assume they are aware of security risks, are often unconsciously ignoring the fact that simple, and at first glance, risk-free, activities might lead to major issues – for example, easy passwords or not following security guidelines.”
Dawid Kowalski, FireMon: “The resolution is for all security-related rules to be followed by everyone within the organisation.”
He adds: “One instance might be the hack into Hacking Team, a company almost completely made of information security experts with its business orientated on identifying security flaws and selling exploits. The real dooropener in this case was a set of insecure back-ups that led to the discovery of weak passwords stored in a clear text June 2016
file on an encrypted volume used to then further exploit all resources.2 The resolution is for all security-related rules to be followed by everyone within the organisation, as otherwise it might lead to compromise.”
Training alone is not the answer Rohyt Belani, CEO and co-founder of PhishMe, believes that while Axelos’ study highlights a key problem with the current approach to training, training alone is not the answer. “Standard online training modules can actually disengage employees from the issue you’re trying to resolve because they are typically boring and out of context, allowing employees to ignore or quickly click through without engaging with the security content being offered,” he says. “Great for checking a compliance requirement, but completely ineffective in changing behaviour.” Instead, in his view, companies need to condition their staff ’s behaviour and engage and empower them to be part of the solution. “Immersive programmes are key to providing instant learning opportunities and real-world examples provide the needed experience around threats to avoid,” he says. “Getting a human eye on the front line of an organisation’s overall security strategy provides the highest-fidelity intelligence possible – after all, modern scams are devised by people, so it takes problem-solving brains like those of the workforce to spot them. “With a behavioural conditioning programme,” he continues, “organisations can check staff ’s awareness by simulating attacks, congratulating success and providing follow-up materials for those found vulnerable. This reinforcement, provided at the point of susceptibility, will be far more memorable than a click-through training session or booklet received out of context. Conditioning employees to act as
human sensors will greatly reduce the organisation’s attack surface.”
“Offering more rounded and holistic training that addresses all aspects of an employee’s life online, including in their personal life, encourages them to develop good habits” Cath Goulding, head of IT Security, Nominet UK, believes that a particularly effective way of helping employees to understand and contextualise the risks is to share anecdotes about any near misses of the past, and let them know what the potential repercussions could have been. Goulding’s approach at Nominet is personal: “We ask employees to share their own past experiences of cybersecurity threats, and offer training to address any issues that employees may have with their own personal cybersecurity. Offering more rounded and holistic training that addresses all aspects of an employee’s life online, including in their personal life, encourages them to develop good habits by stimulating them to think laterally about the different ways they are at risk.”
Cath Goulding, Nominet UK: “We ask employees to share their own past experiences of cyber-security threats, and offer training to address any issues.”
She adds: “Deploying a culture of security education, training and support, rather than fear of making a mistake, is a great way of keeping your Computer Fraud & Security
9
Feature staff engaged. A good way of doing this is to run competitions. At Nominet we have a clear desk policy and award those who keep their desk free of clutter, and drawers and computers locked, reducing the risk of sensitive papers or data being seen by the wrong people. It’s also key to maintain an open-door policy and be approachable – employees shouldn’t feel scared to come forward if they are unsure about an issue of data security.” In regulated sectors, training on awareness of security risks is widely mandated, but in other sectors security managers can find it hard to make a business case for a training budget. When security awareness training works, the company is much less likely to suffer a data or systems breach, but the benefit of this is hard to quantify. According to Ian Trump, security lead at LOGICnow: “In the private sector I feel there is not enough – or in fact any – training around security risks as a general practice. The problem with security awareness training (SAT) is that it’s difficult to record success. When SAT works – when a phishing email is not opened – nothing happens and it’s business as usual.”
Insider threats Insider threats are a growing concern and some security experts argue that general training around awareness of security risks does little to counter this. Internal attacks are still one of the main cyber-security risks yet not every organisation takes them seriously when it comes to making staff aware of that possibility. “Our own study at Clearswift with a focus on insider threats revealed that 72% of those surveyed believe internal security threats are not treated with the same importance as external threats by the Board, and 14% said internal threats won’t be taken seriously enough until their organisation experiences a serious internal data breach,” says Guy Bunker, SVP at Clearswift. 10
Computer Fraud & Security
Guy Bunker, Clearswift: “Training on awareness on internal risks is key, but it appears that it is still not being taken seriously at executive level.”
He adds: “Training on awareness on internal risks is key, but it appears that it is still not being taken seriously at executive level. This needs to change and businesses need to start focusing on the internal factors to protecting data before data falls into the wrong hands.” Interestingly however, a report by cyber- and data security product vendor Imperva entitled ‘The Secret Behind CryptoWall’s Success’ also reveals that prices are often tailored to a country’s ability to pay.3 So while Imperva puts the average consumer ransom at $700 in the US, the figure falls to more like $500 for victims in Israel, Russia and Mexico in order to “keep payments affordable”.
“There needs to be a greater focus on IT and security teams to enable them to architect process and technology, such as behavioural-based detections” Yet there are risks associated with covering this during awareness training. At examination institute APMG, lead cyber-security assessor Andy Taylor outlines: “Rarely does awareness training mention insider threats despite this being one of the more common forms
of data leakage in particular. But that is not so surprising. Data leakage (stealing or otherwise misappropriating company assets for personal gain) is most frequently carried out by disgruntled employees, perhaps those who have been reprimanded or even dismissed. While this kind of incident poses a very real risk, raising it at a cyber-security awareness training session could be counterproductive – as it suggests that if an employee felt compelled to leak data, he or she could be successful in doing so.” A lot of security awareness training is focused on end users to improve their behaviour but as Matt Walmsley, EMEA director, Vectra Networks, points out: “The insider risk is more challenging to educate on as you are educating the potential insiders. There needs to be a greater focus on IT and security teams to enable them to architect process and technology, such as behavioural-based detections to spot suspect and insider threat behaviours early so that an intervention can be made before issues escalate into critical incidents.”
Privileged users Certain users have more access than anyone else to the system and it may make sense to target higher levels of awareness training at these groups. One example of this is privileged users. Bruce Jubb, head of UK, Ireland & Nordics at Wallix, points out that privileged users are a relatively small but essential group in any organisation. “They maintain the IT infrastructure and have access to critical systems and confidential data unavailable to others. For this reason their credentials are almost always targeted by hackers and yet awareness of best practice in privileged access management is extremely low. Security training is not typically tailored to this highly skilled group who, in protecting the company’s crown jewels, are likely to become targets themselves,” says Jubb. June 2016
Feature
Top tips to foster a security awareness culture
Bruce Jubb, Wallix: “In many cases, privileged access is managed manually on an ad hoc basis and this is where we see the big security blunders.”
Learning and development content must be appropriate to this group’s skills and understanding and Jubb cautions against talking down to them. It must also be real-world, reflecting the realities of their situation: “If they are using products to manage privileged accounts, ensure that product training is up to date and well understood: for example, understanding the risks of sharing passwords among the group. In many cases, privileged access is managed manually on an ad hoc basis and this is where we see the big security blunders such as keeping all privileged access passwords in one document on the system.” He also points out that privileged users should be included in other aspects of training, such as compliance, because of the levels of access to the system they have. “This is going to become increasingly relevant as organisations start training staff in preparation for the EU’s data privacy law, the GDPR, which comes into force in 2018,” he explains. “Penalties for non-compliance can be up to 4% of a company’s global turnover, so ensuring that this group has the right tools and training should be a top priority.”
Sheep dip training Security awareness training is not a one-off, tick-box exercise but that continues to be the way that many June 2016
Kaspersky has put together 10 tips to help make communicating the issues of security to your business a little easier: 1. Address your audience correctly. Avoid calling anyone ‘users’ – it’s impersonal and can leave your audience feeling a little disassociated from what you’re saying. Use ‘employee’, ‘colleague’ or ‘person’ instead. 2. Use the right tone of voice. An approachable and friendly tone will help you communicate to your audience more effectively, ensuring you educate your colleagues on what they can each do to protect the business. 3. Get support from the HR and legal teams. Where necessary, they can put real policies in place and provide support if breaches are made. 4. Keep colleagues informed. Consider the timing and frequency of your IT security inductions and briefings. Ensure they are regular and memorable. 5. Use your imagination. There are lots of ways to make information more engaging. The more creative and interesting, the greater the chances it will be read. Try comic strips, posters and quizzes. 6. Review your efforts. Has your information sunk in? Test your colleagues and see what they have remembered and what they have forgotten. A quiz on the top five IT security issues is a good place to start. 7. Make it personal. Tapping into your colleagues’ self interest will help them gain a better understanding of the importance and context of IT security. For example, discuss how security breaches might affect their mobile devices. 8. Avoid jargon. Most people will not have the same depth of knowledge as you, so make sure you explain everything in a way that is easy to understand. 9. Encourage an open dialogue. Ensure people understand the consequences of a security breach and the importance of keeping you informed. Some people may fear they will be disciplined if they have clicked on a phishing email and as a result they will avoid notifying the correct people. 10. Consult the marketing team. When it comes to internal communications within your organisation, they are the experts – so ask for their help on how to best engage your colleagues.
organisations deliver it. Orlando ScottCowley, cyber-security strategist at Mimecast, says: “Any form of training, when executed badly, is ineffective. Most organisations that deliver cybersecurity training to their staff do it on an occasional and irregular basis. The default ‘sheep dip’ training during the employee induction process is only a thin veneer of knowledge for what is a deep and varied topic. “Updating this veneer once or twice a year with mandatory ‘lunch and learn’ does nothing to instil a willingness to learn in employees. The other side of the irregularity problem is the speed at which the cyber-security threat changes.
Organisations are not telling their staff about the latest threats that evolve every month.” The best awareness training programmes use the drip-feed method, passing on a little more information or reminders every week, according to Taylor at APMG. “Perhaps more importantly it should be emphasised that senior managers who often don’t follow the standard new entrant route into an organisation because they are seen to be ‘above’ that need must also be educated. Whaling – getting information about senior staff members to use for a phishing attack – is one of the most effective attack vectors. An Computer Fraud & Security
11
Feature email from your boss asking you to do something urgently is almost always going to get a response.”
Taking a fresh approach Mimecast’s Scott-Cowley recommends that security awareness training is best done regularly and through various mechanisms. “Email updates, SMS messages, desk drops, office floor walkers, hackathons and even your own bug bounty programme are all ways of getting your staff more involved in your security processes,” he says.
“Whaling – getting information about senior staff members to use for a phishing attack – is one of the most effective attack vectors. An email from your boss asking you to do something urgently is almost always going to get a response” It is not enough to give employees security awareness. The key is to leave them clear as to what action they should take when they have a security concern. Nick Garlick, MD at Nebulas, has long experience of finding that users are the weakest link in an organisation’s security. “Organisations need to look for opportunities that empower their educated ‘security aware’ users to become a new line of reporting and identification capabilities,” he says. “Rather than just knowing when to delete or ignore a suspect email link, better to escalate it back to the security operations teams so they can augment their other detection solutions and build a richer picture of the current threats.” Nominet’s Goulding points out that it can also be very effective to use more practical methods to raise awareness, such as running a training exercise with an external penetration tester. “These companies can run exercises that range from testing employees’ willingness to 12
Computer Fraud & Security
let a disguised stranger into the office, to sending white hat phishing emails and posing as phone scammers,” she says. “After the exercise is complete, the results can be shared with the entire company, allowing those who were duped to share their experience with others and relay just how easy it is to be tricked. This shouldn’t be seen as an opportunity to name and shame, but more to show how sophisticated these scams have become.” Trump at LOGICnow, highlights another way forward: “I think there should be a mandatory minimum awareness programme perhaps just focused on PII and PCI required for a business doing over £500,000 in annual revenue – it does not have to be an elaborate programme, but the most important part is really identifying who to go to when there is a question about security.”
What makes for effective training? APMG believes there are two core attributes that training departments or training suppliers should possess for effective training delivery: good technical knowledge to be able to answer questions correctly but in a non-technical way and excellent teaching skills to ensure that they relate to and build a relationship with their students, so that the process is not about lecturing but teaching.
“There is good evidence to show that different styles of education suit different types of people. Not everyone learns in the same way. Use of blended learning will help to ensure that everyone gets the right messages” Many organisations deliver security awareness training through e-learning modules. This can be a cost-effective and consistent way of delivering
training, particularly for multinational organisations, but it does have its limitations. Learning and development professionals are increasingly recommending blended learning as best practice, where e-learning modules are supplemented by classroom training, coaching and mentoring. APMG’s Taylor says: “Blended learning is best for a number of reasons. There is good evidence to show that different styles of education suit different types of people. Not everyone learns in the same way. Use of blended learning will help to ensure that everyone gets the right messages through one medium or another. It also allows different ways of delivering the same message and different styles of presentation suit some messages better than others.”
“Coaching and monitoring are suitable for those who need more advanced knowledge and peer-to-peer learning is certainly a good way. Getting a local expert who can answer those ‘silly’ questions people are often too embarrassed to ask is by far the best way of getting messages out” He adds: “Coaching and mentoring are suitable for those who need more advanced knowledge and also peer-topeer learning is certainly a good way. Getting a local expert who can answer those ‘silly’ questions people are often too embarrassed to ask is by far the best way of getting messages out. If the local expert can’t help then he or she will know where to go to get the better information. The local expert must be approachable, though, and must not be a techie who uses techie language.” While there is plenty of training available in a variety of formats – faceto-face, online, CBT, etc – the quality of the training and how much it is used is a different issue, says Taylor. “Using June 2016
Feature independently certified courses helps to ensure that only the correct and appropriate information is passed on. For example, some awareness training courses have been certified through the GCHQ Certified Training scheme, which checks the technical content of the course to ensure it is appropriate and correct as well as the technical knowledge and teaching ability of the trainer.” In an era of globalisation, training delivery for security awareness must tap into the latest technology methods of social communication. Mobile training delivery is key and learning content must be relevant, engaging and fit for purpose for the digital natives that now make up half the workforce. Yet Taylor points out: “Those brought up with technology and seemingly better informed than the older people in the community still need to be told and reminded of the risks. Because they are very familiar with technology there is a risk they will put too much trust into it and assume it is all safe. The message is getting out there, but the fact that recently someone set up a wifi hotspot called the ‘Fraud Hotspot’ and many people connected to it because it was free, shows there is still a lot to learn.”
to improve it, will help to set the right tone and then the messages are falling onto much more fertile ground,” he says.
Paul Fletcher, Alert Logic: “Security is generally viewed as a negative thing.”
Paul Fletcher, cyber-security evangelist at Alert Logic, recommends highlighting the positive. “Security is generally viewed as a negative thing and people hear a lot of negative words and stories about what happens when things go wrong,” he says. “We should highlight success stories of when things go right. We should reward people that say something and especially reward people when they find a significant security issue.”
“All too frequently the only measurement performed is ‘activity based’, such as whether a certain percentage of employees complete an e-learning package on a certain date, rather than ‘output based’ – such as whether differences in employee behaviours before and after the training can be measured”
Testing, testing
APMG’s Taylor explains: “To change behaviours, [training] would need to be repeated at frequent and regular intervals and to have some testing mechanism. For example, a major US company with significant defence contracts spends a lot of money on teaching its staff not to click on links in emails or to open the attachments. Dummy phishing emails are sent out to every member of staff on an irregular basis. Click on a link once and there is an informal warning. Repeat the activity and there is a formal warning and on the third time dismissal is possible. This has the ability to change behaviours.”
The final piece of the puzzle is to confirm that effective assessment and measurement takes place to make sure the training has worked.
A positive spin One of the key factors to ensure the success of training is for those sent on training courses to accept that there is a need to be trained. Sending people with little or no explanation as to why the training is required is useless, in Taylor’s view. “They will be in a negative frame of mind from the start and that won’t help,” he says. “The culture of the organisation has to be sympathetic to the information security messages and this starts from the very top. CEOs that frequently say they take information security very seriously, offering rewards for good practice, for reporting security issues quickly, for making suggestions June 2016
frequently the only measurement performed is ‘activity based’, such as whether a certain percentage of employees completed an e-learning package on a certain date, rather than ‘output based’ – such as whether differences in employee behaviours before and after the training can be measured. Activity-based measurements demonstrate nothing in relation to the effectiveness of the training and only effective training will bring about the desired security awareness.”
Simon Viney, Stroz Friedberg: “Only effective training will bring about the desired security awareness.”
“A critically important aspect to the success of security awareness and training programmes is to measure the effectiveness of the programme,” says Simon Viney, a director of security science at Stroz Friedberg. “All too
Security awareness throughout the organisation There is growing evidence that organisations are acknowledging the need for a culture of cyber-security Computer Fraud & Security
13
Feature awareness throughout the organisation. “The role that an individual plays in an organisation’s overall approach to cybersecurity and risk management is crucially important and our recent ‘Risk:Value 2016’ report indicates there is greater awareness of the criticality of good data management practices at a senior level,” says Stuart Reed, senior director, NTT
Answers to the question: ‘What do you see as the single greatest risk to your business?’. Source: NTT Com Security.
Com Security.3 “This is in contrast to our findings in a previous report where attitudes suggested that one department or individual was responsible for IT security.”
Security Mindset David Emm, principal security researcher at Kaspersky Lab, points out: “You can’t train staff to be secure, in the way that you can train them to make effective use of a word processing or other application. Rather, cyber-security education is about developing a security mindset that conditions how employees think about security in any situation they encounter.” He adds: “It’s vital to find imaginative ways to ensure that security issues are understood by employees at all levels. Security must become part of the company’s wider culture: otherwise,
it’s like doing the housework once and imagining that this will suffice to keep the house clean.”
About the author Tracey Caldwell is a freelance business technology writer who writes regularly on security issues. She is editor of Biometric Technology Today, also published by Elsevier.
References 1. ‘Cyber Resilience: Are your people your most effective defence?’. Axelos/ Resilia. Accessed May 2016. www. axelos.com/Corporate/media/Files/ RESILIA_Report-16.pdf 2. ‘Hack Back! A DIY guide’. ‘Antisec’. http://pastebin.com/raw/0SNSvyjJ). 3. ‘Risk:Value 2016’. NTT Com Security. Accessed May 2016. www. nttcomsecurity.com/en/landingpages/ risk-value-2016/.
Fifty shades of fraud John Lord, GBG Cybercrime, and in particular fraud, is a booming business. Every week we are faced with another story of a business becoming the latest victim of cybercrime or shocking statistics about the rising levels of fraud. Just recently, PwC published a report that found that in the past two years, half of UK organisations have been the victim of an illegal act committed by an individual or a group to obtain a financial or professional advantage.1 In fact, cybercrime, it was revealed, is the fastest-growing fraud, with a 20% increase since 2014, in comparison to some of the traditional forms of economic crime such as bribery, asset misappropriation and procurement fraud. The latest scam, dubbed ‘CEO fraud’, has caused UK businesses to be on high alert after increasing reports of losses as a result of criminals impersonating email accounts of chief executives to trick staff into wiring payments to an overseas bank account. The total cost to companies around the globe is estimated to be around £1.43bn.2 Clearly, fraud comes in many guises, whether it be an individual or business applying for and accepting credit with 14
Computer Fraud & Security
no intention of repayment (first-party fraud), having your identity stolen (third-party fraud), duplication of an identity (syndicated fraud) or a salesperson intentionally not running a credit check on a customer when buying a phone, for example (complicit fraud). And the number of incidents of fraud is only rising. According to a report from consultancy firm KPMG, the UK experienced £732m-worth of fraud in 2015, up from £717m the year
John Lord
before. Action Fraud, the UK’s national fraud and financially motivated Internet crime reporting centre, also recorded a 9% uptick of incidences of online fraud compared with the previous year’s statistics.3 With figures like these, it is therefore worrying to read, in the PwC report, that a third of UK organisations have no response plan in place to protect themselves from a cyberattack. It is worrying in the sense that today’s cyber-criminals are not just about targeting a business’s financial information. They have set their sights higher, to now include a company’s ‘crown jewels’, namely its customer data and intellectual property information. June 2016
References 1. Liu, C. ‘Securing networks in the Internet of Things era’. Computer Fraud & Security, Apr 2015, pp.1316. Accessed May 2016. www. sciencedirect.com/science/article/pii/
S1361372315300282. 2. Daryabar, F; Dehghantanha, A; Udzir, NI; bin Shamsuddin, S. ‘Towards secure model for SCADA systems’. In Proceedings Title: 2012 International Conference on Cyber-security, Cyber Warfare and Digital Forensics (CyberSec), 60-64 (IEEE, 2012). doi:10.1109/ CyberSec.2012.6246111. 3. Oriwoh, E; Jazani, D; Epiphaniou, G; Sant, P. ‘Internet of Things Forensics: Challenges and Approaches’. In Proceedings of the
9th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing, 608-615 (ICST, 2013). doi:10.4108/icst. collaboratecom.2013.254159. 4. Tankard, C. ‘The security issues of the Internet of Things’. Computer Fraud & Security, Sep 2015, pp.1114. Accessed May 2016. www. sciencedirect.com/science/article/pii/ S1361372315300841.
Making security awareness training work Tracey Caldwell, freelance journalist Most security experts would agree that the weakest link in the security chain is human. There is an increasing acknowledgement that all employees need to have some level of understanding of the part they can play in keeping an organisation’s systems and data secure. Many organisations are providing security awareness training but there is real concern that this is simply not working. In fact, a recent survey by Axelos has found that professionals responsible for security awareness training were reporting that the training was largely ineffective.1 Axelos, a joint venture of the UK Government and UK firm Capita, which produces the Resilia best practice solutions, questioned 100 executives responsible for information security training in organisations with more than 500 employees. Only a third rated their training as ‘very effective’ in reducing the chances of an information security breach; less than half (42%) said their awareness learning is ‘very effective’ at providing general awareness of security risks; while fewer than a third said their cyber-security awareness training is ‘very effective’ at changing staff behaviours in relation to information security. This is against the backdrop of the fact that companies that provide security awareness training are still in the minority. In fact a quarter of companies never carry out training to 8
Computer Fraud & Security
help employees spot email cyber-attacks and a quarter do so only once, when the employee joins the company, according to Mimecast, which conducted a survey of 436 IT experts at organisations in the US, UK, South Africa and Australia in March 2016.
Answers to the question: ‘How frequently do you train your employees to spot email cyberattacks’. Source: Mimecast.
Tracey Caldwell
Even where training is provided, it is widely failing to do its job. Ian Kilpatrick, chairman of the Wick Hill Group, says: “There is plenty of training available; however, there is a significant difference between training staff and changing behaviour. Many organisations can waste money training staff and fail to manage the follow up to ensure that the training is effective in both the workplace and in the individual’s approach to security. Because of the mix and overlap between work and home, if you don’t change home security behaviour, it is hugely more difficult to effect change in the office.” He warns: “One-off training, while helpful, can create a false sense of security. Over time, staff can and will drift back into old insecure habits.” June 2016
Feature “Many organisations can waste money training staff and fail to manage the follow up to ensure that the training is effective in both the workplace and in the individual’s approach to security” Security awareness training is often targeted at one group of staff or another. However, the key to delivering effective security awareness training is to ensure that all staff access it, as vulnerabilities may lie where least expected. Dawid Kowalski, technical director EMEA at FireMon, points out: “Even personnel with access to sensitive data, where one could assume they are aware of security risks, are often unconsciously ignoring the fact that simple, and at first glance, risk-free, activities might lead to major issues – for example, easy passwords or not following security guidelines.”
Dawid Kowalski, FireMon: “The resolution is for all security-related rules to be followed by everyone within the organisation.”
He adds: “One instance might be the hack into Hacking Team, a company almost completely made of information security experts with its business orientated on identifying security flaws and selling exploits. The real dooropener in this case was a set of insecure back-ups that led to the discovery of weak passwords stored in a clear text June 2016
file on an encrypted volume used to then further exploit all resources.2 The resolution is for all security-related rules to be followed by everyone within the organisation, as otherwise it might lead to compromise.”
Training alone is not the answer Rohyt Belani, CEO and co-founder of PhishMe, believes that while Axelos’ study highlights a key problem with the current approach to training, training alone is not the answer. “Standard online training modules can actually disengage employees from the issue you’re trying to resolve because they are typically boring and out of context, allowing employees to ignore or quickly click through without engaging with the security content being offered,” he says. “Great for checking a compliance requirement, but completely ineffective in changing behaviour.” Instead, in his view, companies need to condition their staff ’s behaviour and engage and empower them to be part of the solution. “Immersive programmes are key to providing instant learning opportunities and real-world examples provide the needed experience around threats to avoid,” he says. “Getting a human eye on the front line of an organisation’s overall security strategy provides the highest-fidelity intelligence possible – after all, modern scams are devised by people, so it takes problem-solving brains like those of the workforce to spot them. “With a behavioural conditioning programme,” he continues, “organisations can check staff ’s awareness by simulating attacks, congratulating success and providing follow-up materials for those found vulnerable. This reinforcement, provided at the point of susceptibility, will be far more memorable than a click-through training session or booklet received out of context. Conditioning employees to act as
human sensors will greatly reduce the organisation’s attack surface.”
“Offering more rounded and holistic training that addresses all aspects of an employee’s life online, including in their personal life, encourages them to develop good habits” Cath Goulding, head of IT Security, Nominet UK, believes that a particularly effective way of helping employees to understand and contextualise the risks is to share anecdotes about any near misses of the past, and let them know what the potential repercussions could have been. Goulding’s approach at Nominet is personal: “We ask employees to share their own past experiences of cybersecurity threats, and offer training to address any issues that employees may have with their own personal cybersecurity. Offering more rounded and holistic training that addresses all aspects of an employee’s life online, including in their personal life, encourages them to develop good habits by stimulating them to think laterally about the different ways they are at risk.”
Cath Goulding, Nominet UK: “We ask employees to share their own past experiences of cyber-security threats, and offer training to address any issues.”
She adds: “Deploying a culture of security education, training and support, rather than fear of making a mistake, is a great way of keeping your Computer Fraud & Security
9
Feature staff engaged. A good way of doing this is to run competitions. At Nominet we have a clear desk policy and award those who keep their desk free of clutter, and drawers and computers locked, reducing the risk of sensitive papers or data being seen by the wrong people. It’s also key to maintain an open-door policy and be approachable – employees shouldn’t feel scared to come forward if they are unsure about an issue of data security.” In regulated sectors, training on awareness of security risks is widely mandated, but in other sectors security managers can find it hard to make a business case for a training budget. When security awareness training works, the company is much less likely to suffer a data or systems breach, but the benefit of this is hard to quantify. According to Ian Trump, security lead at LOGICnow: “In the private sector I feel there is not enough – or in fact any – training around security risks as a general practice. The problem with security awareness training (SAT) is that it’s difficult to record success. When SAT works – when a phishing email is not opened – nothing happens and it’s business as usual.”
Insider threats Insider threats are a growing concern and some security experts argue that general training around awareness of security risks does little to counter this. Internal attacks are still one of the main cyber-security risks yet not every organisation takes them seriously when it comes to making staff aware of that possibility. “Our own study at Clearswift with a focus on insider threats revealed that 72% of those surveyed believe internal security threats are not treated with the same importance as external threats by the Board, and 14% said internal threats won’t be taken seriously enough until their organisation experiences a serious internal data breach,” says Guy Bunker, SVP at Clearswift. 10
Computer Fraud & Security
Guy Bunker, Clearswift: “Training on awareness on internal risks is key, but it appears that it is still not being taken seriously at executive level.”
He adds: “Training on awareness on internal risks is key, but it appears that it is still not being taken seriously at executive level. This needs to change and businesses need to start focusing on the internal factors to protecting data before data falls into the wrong hands.” Interestingly however, a report by cyber- and data security product vendor Imperva entitled ‘The Secret Behind CryptoWall’s Success’ also reveals that prices are often tailored to a country’s ability to pay.3 So while Imperva puts the average consumer ransom at $700 in the US, the figure falls to more like $500 for victims in Israel, Russia and Mexico in order to “keep payments affordable”.
“There needs to be a greater focus on IT and security teams to enable them to architect process and technology, such as behavioural-based detections” Yet there are risks associated with covering this during awareness training. At examination institute APMG, lead cyber-security assessor Andy Taylor outlines: “Rarely does awareness training mention insider threats despite this being one of the more common forms
of data leakage in particular. But that is not so surprising. Data leakage (stealing or otherwise misappropriating company assets for personal gain) is most frequently carried out by disgruntled employees, perhaps those who have been reprimanded or even dismissed. While this kind of incident poses a very real risk, raising it at a cyber-security awareness training session could be counterproductive – as it suggests that if an employee felt compelled to leak data, he or she could be successful in doing so.” A lot of security awareness training is focused on end users to improve their behaviour but as Matt Walmsley, EMEA director, Vectra Networks, points out: “The insider risk is more challenging to educate on as you are educating the potential insiders. There needs to be a greater focus on IT and security teams to enable them to architect process and technology, such as behavioural-based detections to spot suspect and insider threat behaviours early so that an intervention can be made before issues escalate into critical incidents.”
Privileged users Certain users have more access than anyone else to the system and it may make sense to target higher levels of awareness training at these groups. One example of this is privileged users. Bruce Jubb, head of UK, Ireland & Nordics at Wallix, points out that privileged users are a relatively small but essential group in any organisation. “They maintain the IT infrastructure and have access to critical systems and confidential data unavailable to others. For this reason their credentials are almost always targeted by hackers and yet awareness of best practice in privileged access management is extremely low. Security training is not typically tailored to this highly skilled group who, in protecting the company’s crown jewels, are likely to become targets themselves,” says Jubb. June 2016
Feature
Top tips to foster a security awareness culture
Bruce Jubb, Wallix: “In many cases, privileged access is managed manually on an ad hoc basis and this is where we see the big security blunders.”
Learning and development content must be appropriate to this group’s skills and understanding and Jubb cautions against talking down to them. It must also be real-world, reflecting the realities of their situation: “If they are using products to manage privileged accounts, ensure that product training is up to date and well understood: for example, understanding the risks of sharing passwords among the group. In many cases, privileged access is managed manually on an ad hoc basis and this is where we see the big security blunders such as keeping all privileged access passwords in one document on the system.” He also points out that privileged users should be included in other aspects of training, such as compliance, because of the levels of access to the system they have. “This is going to become increasingly relevant as organisations start training staff in preparation for the EU’s data privacy law, the GDPR, which comes into force in 2018,” he explains. “Penalties for non-compliance can be up to 4% of a company’s global turnover, so ensuring that this group has the right tools and training should be a top priority.”
Sheep dip training Security awareness training is not a one-off, tick-box exercise but that continues to be the way that many June 2016
Kaspersky has put together 10 tips to help make communicating the issues of security to your business a little easier: 1. Address your audience correctly. Avoid calling anyone ‘users’ – it’s impersonal and can leave your audience feeling a little disassociated from what you’re saying. Use ‘employee’, ‘colleague’ or ‘person’ instead. 2. Use the right tone of voice. An approachable and friendly tone will help you communicate to your audience more effectively, ensuring you educate your colleagues on what they can each do to protect the business. 3. Get support from the HR and legal teams. Where necessary, they can put real policies in place and provide support if breaches are made. 4. Keep colleagues informed. Consider the timing and frequency of your IT security inductions and briefings. Ensure they are regular and memorable. 5. Use your imagination. There are lots of ways to make information more engaging. The more creative and interesting, the greater the chances it will be read. Try comic strips, posters and quizzes. 6. Review your efforts. Has your information sunk in? Test your colleagues and see what they have remembered and what they have forgotten. A quiz on the top five IT security issues is a good place to start. 7. Make it personal. Tapping into your colleagues’ self interest will help them gain a better understanding of the importance and context of IT security. For example, discuss how security breaches might affect their mobile devices. 8. Avoid jargon. Most people will not have the same depth of knowledge as you, so make sure you explain everything in a way that is easy to understand. 9. Encourage an open dialogue. Ensure people understand the consequences of a security breach and the importance of keeping you informed. Some people may fear they will be disciplined if they have clicked on a phishing email and as a result they will avoid notifying the correct people. 10. Consult the marketing team. When it comes to internal communications within your organisation, they are the experts – so ask for their help on how to best engage your colleagues.
organisations deliver it. Orlando ScottCowley, cyber-security strategist at Mimecast, says: “Any form of training, when executed badly, is ineffective. Most organisations that deliver cybersecurity training to their staff do it on an occasional and irregular basis. The default ‘sheep dip’ training during the employee induction process is only a thin veneer of knowledge for what is a deep and varied topic. “Updating this veneer once or twice a year with mandatory ‘lunch and learn’ does nothing to instil a willingness to learn in employees. The other side of the irregularity problem is the speed at which the cyber-security threat changes.
Organisations are not telling their staff about the latest threats that evolve every month.” The best awareness training programmes use the drip-feed method, passing on a little more information or reminders every week, according to Taylor at APMG. “Perhaps more importantly it should be emphasised that senior managers who often don’t follow the standard new entrant route into an organisation because they are seen to be ‘above’ that need must also be educated. Whaling – getting information about senior staff members to use for a phishing attack – is one of the most effective attack vectors. An Computer Fraud & Security
11
Feature email from your boss asking you to do something urgently is almost always going to get a response.”
Taking a fresh approach Mimecast’s Scott-Cowley recommends that security awareness training is best done regularly and through various mechanisms. “Email updates, SMS messages, desk drops, office floor walkers, hackathons and even your own bug bounty programme are all ways of getting your staff more involved in your security processes,” he says.
“Whaling – getting information about senior staff members to use for a phishing attack – is one of the most effective attack vectors. An email from your boss asking you to do something urgently is almost always going to get a response” It is not enough to give employees security awareness. The key is to leave them clear as to what action they should take when they have a security concern. Nick Garlick, MD at Nebulas, has long experience of finding that users are the weakest link in an organisation’s security. “Organisations need to look for opportunities that empower their educated ‘security aware’ users to become a new line of reporting and identification capabilities,” he says. “Rather than just knowing when to delete or ignore a suspect email link, better to escalate it back to the security operations teams so they can augment their other detection solutions and build a richer picture of the current threats.” Nominet’s Goulding points out that it can also be very effective to use more practical methods to raise awareness, such as running a training exercise with an external penetration tester. “These companies can run exercises that range from testing employees’ willingness to 12
Computer Fraud & Security
let a disguised stranger into the office, to sending white hat phishing emails and posing as phone scammers,” she says. “After the exercise is complete, the results can be shared with the entire company, allowing those who were duped to share their experience with others and relay just how easy it is to be tricked. This shouldn’t be seen as an opportunity to name and shame, but more to show how sophisticated these scams have become.” Trump at LOGICnow, highlights another way forward: “I think there should be a mandatory minimum awareness programme perhaps just focused on PII and PCI required for a business doing over £500,000 in annual revenue – it does not have to be an elaborate programme, but the most important part is really identifying who to go to when there is a question about security.”
What makes for effective training? APMG believes there are two core attributes that training departments or training suppliers should possess for effective training delivery: good technical knowledge to be able to answer questions correctly but in a non-technical way and excellent teaching skills to ensure that they relate to and build a relationship with their students, so that the process is not about lecturing but teaching.
“There is good evidence to show that different styles of education suit different types of people. Not everyone learns in the same way. Use of blended learning will help to ensure that everyone gets the right messages” Many organisations deliver security awareness training through e-learning modules. This can be a cost-effective and consistent way of delivering
training, particularly for multinational organisations, but it does have its limitations. Learning and development professionals are increasingly recommending blended learning as best practice, where e-learning modules are supplemented by classroom training, coaching and mentoring. APMG’s Taylor says: “Blended learning is best for a number of reasons. There is good evidence to show that different styles of education suit different types of people. Not everyone learns in the same way. Use of blended learning will help to ensure that everyone gets the right messages through one medium or another. It also allows different ways of delivering the same message and different styles of presentation suit some messages better than others.”
“Coaching and monitoring are suitable for those who need more advanced knowledge and peer-to-peer learning is certainly a good way. Getting a local expert who can answer those ‘silly’ questions people are often too embarrassed to ask is by far the best way of getting messages out” He adds: “Coaching and mentoring are suitable for those who need more advanced knowledge and also peer-topeer learning is certainly a good way. Getting a local expert who can answer those ‘silly’ questions people are often too embarrassed to ask is by far the best way of getting messages out. If the local expert can’t help then he or she will know where to go to get the better information. The local expert must be approachable, though, and must not be a techie who uses techie language.” While there is plenty of training available in a variety of formats – faceto-face, online, CBT, etc – the quality of the training and how much it is used is a different issue, says Taylor. “Using June 2016
Feature independently certified courses helps to ensure that only the correct and appropriate information is passed on. For example, some awareness training courses have been certified through the GCHQ Certified Training scheme, which checks the technical content of the course to ensure it is appropriate and correct as well as the technical knowledge and teaching ability of the trainer.” In an era of globalisation, training delivery for security awareness must tap into the latest technology methods of social communication. Mobile training delivery is key and learning content must be relevant, engaging and fit for purpose for the digital natives that now make up half the workforce. Yet Taylor points out: “Those brought up with technology and seemingly better informed than the older people in the community still need to be told and reminded of the risks. Because they are very familiar with technology there is a risk they will put too much trust into it and assume it is all safe. The message is getting out there, but the fact that recently someone set up a wifi hotspot called the ‘Fraud Hotspot’ and many people connected to it because it was free, shows there is still a lot to learn.”
to improve it, will help to set the right tone and then the messages are falling onto much more fertile ground,” he says.
Paul Fletcher, Alert Logic: “Security is generally viewed as a negative thing.”
Paul Fletcher, cyber-security evangelist at Alert Logic, recommends highlighting the positive. “Security is generally viewed as a negative thing and people hear a lot of negative words and stories about what happens when things go wrong,” he says. “We should highlight success stories of when things go right. We should reward people that say something and especially reward people when they find a significant security issue.”
“All too frequently the only measurement performed is ‘activity based’, such as whether a certain percentage of employees complete an e-learning package on a certain date, rather than ‘output based’ – such as whether differences in employee behaviours before and after the training can be measured”
Testing, testing
APMG’s Taylor explains: “To change behaviours, [training] would need to be repeated at frequent and regular intervals and to have some testing mechanism. For example, a major US company with significant defence contracts spends a lot of money on teaching its staff not to click on links in emails or to open the attachments. Dummy phishing emails are sent out to every member of staff on an irregular basis. Click on a link once and there is an informal warning. Repeat the activity and there is a formal warning and on the third time dismissal is possible. This has the ability to change behaviours.”
The final piece of the puzzle is to confirm that effective assessment and measurement takes place to make sure the training has worked.
A positive spin One of the key factors to ensure the success of training is for those sent on training courses to accept that there is a need to be trained. Sending people with little or no explanation as to why the training is required is useless, in Taylor’s view. “They will be in a negative frame of mind from the start and that won’t help,” he says. “The culture of the organisation has to be sympathetic to the information security messages and this starts from the very top. CEOs that frequently say they take information security very seriously, offering rewards for good practice, for reporting security issues quickly, for making suggestions June 2016
frequently the only measurement performed is ‘activity based’, such as whether a certain percentage of employees completed an e-learning package on a certain date, rather than ‘output based’ – such as whether differences in employee behaviours before and after the training can be measured. Activity-based measurements demonstrate nothing in relation to the effectiveness of the training and only effective training will bring about the desired security awareness.”
Simon Viney, Stroz Friedberg: “Only effective training will bring about the desired security awareness.”
“A critically important aspect to the success of security awareness and training programmes is to measure the effectiveness of the programme,” says Simon Viney, a director of security science at Stroz Friedberg. “All too
Security awareness throughout the organisation There is growing evidence that organisations are acknowledging the need for a culture of cyber-security Computer Fraud & Security
13
Feature awareness throughout the organisation. “The role that an individual plays in an organisation’s overall approach to cybersecurity and risk management is crucially important and our recent ‘Risk:Value 2016’ report indicates there is greater awareness of the criticality of good data management practices at a senior level,” says Stuart Reed, senior director, NTT
Answers to the question: ‘What do you see as the single greatest risk to your business?’. Source: NTT Com Security.
Com Security.3 “This is in contrast to our findings in a previous report where attitudes suggested that one department or individual was responsible for IT security.”
Security Mindset David Emm, principal security researcher at Kaspersky Lab, points out: “You can’t train staff to be secure, in the way that you can train them to make effective use of a word processing or other application. Rather, cyber-security education is about developing a security mindset that conditions how employees think about security in any situation they encounter.” He adds: “It’s vital to find imaginative ways to ensure that security issues are understood by employees at all levels. Security must become part of the company’s wider culture: otherwise,
it’s like doing the housework once and imagining that this will suffice to keep the house clean.”
About the author Tracey Caldwell is a freelance business technology writer who writes regularly on security issues. She is editor of Biometric Technology Today, also published by Elsevier.
References 1. ‘Cyber Resilience: Are your people your most effective defence?’. Axelos/ Resilia. Accessed May 2016. www. axelos.com/Corporate/media/Files/ RESILIA_Report-16.pdf 2. ‘Hack Back! A DIY guide’. ‘Antisec’. http://pastebin.com/raw/0SNSvyjJ). 3. ‘Risk:Value 2016’. NTT Com Security. Accessed May 2016. www. nttcomsecurity.com/en/landingpages/ risk-value-2016/.
Fifty shades of fraud John Lord, GBG Cybercrime, and in particular fraud, is a booming business. Every week we are faced with another story of a business becoming the latest victim of cybercrime or shocking statistics about the rising levels of fraud. Just recently, PwC published a report that found that in the past two years, half of UK organisations have been the victim of an illegal act committed by an individual or a group to obtain a financial or professional advantage.1 In fact, cybercrime, it was revealed, is the fastest-growing fraud, with a 20% increase since 2014, in comparison to some of the traditional forms of economic crime such as bribery, asset misappropriation and procurement fraud. The latest scam, dubbed ‘CEO fraud’, has caused UK businesses to be on high alert after increasing reports of losses as a result of criminals impersonating email accounts of chief executives to trick staff into wiring payments to an overseas bank account. The total cost to companies around the globe is estimated to be around £1.43bn.2 Clearly, fraud comes in many guises, whether it be an individual or business applying for and accepting credit with 14
Computer Fraud & Security
no intention of repayment (first-party fraud), having your identity stolen (third-party fraud), duplication of an identity (syndicated fraud) or a salesperson intentionally not running a credit check on a customer when buying a phone, for example (complicit fraud). And the number of incidents of fraud is only rising. According to a report from consultancy firm KPMG, the UK experienced £732m-worth of fraud in 2015, up from £717m the year
John Lord
before. Action Fraud, the UK’s national fraud and financially motivated Internet crime reporting centre, also recorded a 9% uptick of incidences of online fraud compared with the previous year’s statistics.3 With figures like these, it is therefore worrying to read, in the PwC report, that a third of UK organisations have no response plan in place to protect themselves from a cyberattack. It is worrying in the sense that today’s cyber-criminals are not just about targeting a business’s financial information. They have set their sights higher, to now include a company’s ‘crown jewels’, namely its customer data and intellectual property information. June 2016