One might think that stopping malware, phishing, and a whole host of email-borne attacks was akin to stopping rain during a hurricane or snow during a blizzard. It is ubiquitous and relentless. And despite promising advances in technology, so much malware still gets through cyberdefenses that the proverbial last line of defense, the end user, is often also the first line of defense. But while no one can stop the weather, there might be some hope of at least reducing the damage of malware.
Despite the inevitable human failing when it comes to clicking on email-based attacks, the human defense is getting stronger. A variety of approaches to user education and training are the key, according to practitioners and experts.
Take, as an example, the robust measures implemented by David W. Loewy, CISO at the State University of New York’s (SUNY) Downstate Medical Center in Brooklyn. The fourth largest employer in the city, SUNY’s Downstate operation combines education and a pure research facility, Loewy says. It is the location where Viagra was conceived, as well as the first heart-lung bypass machine. It also houses a large hospital.
Taken together, Downstate is a major target of attackers, chock full of patient and worker personally identifiable information (PII), as well as valuable intellectual property. “Since it is easier to steal research than to perform it, we get hit at least 50 times a day just by the Chinese,” says Loewy.
But Loewy does not assume the bad guys will succeed. In fact, he has crafted very aggressive program to inform and involve end users in order to keep attackers at bay.
“Right now, we have about 8,500 email addresses, including our students, so it was critically important to put together a program so everyone understands how vulnerable we are and how to really be on guard,” Loewy explains. With as many as one-third of malicious emails containing either viruses or malware, even with the best defense software, “we can catch some, but that leaves the rest.”
Loewy says he has learned that everyone in the organization must understand how critical their job is. Citing multiple industry studies, he says the click rate — the frequency with which users willingly “click” on questionable links — stands at approximately 35 percent, varying somewhat between different studies. Nearly as many users, on average, not only click but provide credentials as well. “We got one recently that claimed to be from LinkedIn and said the credentials were needed to update a profile page,” Loewy adds. An estimated 17 percent of individuals will fall for that particular request, he notes.
However, thanks to Downstate’s ongoing education programs, that rate is down to approximately seven percent, he says. And the rate of clicking on suspicious links is also down in the single digits.
What’s the secret? “My program is called You are a Target; we try emphasize what’s in it for the individual,” he says. Monthly emails go out with updates, reminders, and information on the latest scams — and the emphasis is not only on helping Downstate but on keeping the individuals safe in their personal and family emails. At least once a year, everyone in the organization is required to sit in front of a live presenter — often Loewy himself — who will tell them what to look for to avoid phishing and malware.
“When I am in front of people, I say: `This isn’t the last time you’ll see me.’ We try to stay in people’s faces all the time so it doesn’t go to the back of their brains,” Loewy adds. “We even post reminders in the restrooms!”
Loewy also operates a consistent, ongoing phishing program of his own. “We phish everyone,” he says. Those who take the bait get identified — except for union members who just get directed to an anonymous online training exercise. But others, the non-union staff, can face reminders or worse if they become repeat offenders.
At Travelers, the New York City-based insurance giant, there is a similar focus on training, according to Kirstin Simonson, the company’s global technology cyber lead based in the Minneapolis area. “The more employees understand the risks, how to avoid them, and what to do if something happens that may put the company at risk, the better prepared the employer will be to manage and respond to an incident,” she says.
Human behavior continues to play a role in data breaches and network events, she notes. Yet, too few organizations take the situation seriously. “We’re seeing that many businesses are not training their employees on this,” Simonson says. In fact, in the most recent Travelers Risk Index, only 54 percent of the more than 1,200 companies surveyed said they had staff training or testing on computer and data security and only about half of respondents had written IT/security policies and procedures in place, Simonson adds.
Understanding that human element is a good place to start. Jason I. Hong, a professor the Carnegie-Mellon School of Computer Science, and head of Human Computer Interaction Institute, says, “We have done a lot of behavioral studies on end users; when we started in 2005 there was a question as whether training could work at all.”
In fact, he says, it was a mixed verdict. Training can help but phishing and malware authors are getting cleverer every year. That is why human gullibility still figures prominently in the Verizon Data Breach report and similar studies from Microsoft.
“And, that is why the human element is still really important,” he says.
Recognizing that fact, Kayne McGladrey, director of security and information technology at Pensar Development, an engineering consultancy in Seattle, says continuously phishing end users is the best way to help them identify phishing and other potentially malicious content. “This continuous exposure [to phishing] should take a variety of forms, from email-based phishing to direct messages on social media.”
McGladrey says short, actionable, culturally relevant education initiatives on a regular schedule are recommended because “users don’t want to sleep through the mandatory ‘October is cybersecurity month,’ two-hour, PowerPoint presentations.”
Training modules should be short — five minutes or less — and sent out regularly. If possible, they should be tailored to an individual’s role in the organization, so that the finance department is receiving training about business email compromise (BEC) and identity validation procedures rather than the latest zero-day exploits, he says.
Finally, he says, the training should be appropriate for the organizational culture; the training that works for a Fortune 500 company looks very different from that for a 10-person services firm.”
Additionally, user security awareness training should not start with “How to spot phishing emails;” it should start “with educating users on why security awareness matters,” and explaining who the potential attackers are, according to Roselle Safran, president of Rosint Labs, a cybersecurity consultancy and the cybersecurity operations branch chief in the Obama White House.
“There are two words that come to mind when I consider what works best: consistency and relevance,” says Kathleen Hyde, chair of cybersecurity programs at Champlain College Online. Consistency, she explains, refers to organizations actively engaging in ongoing education, training, and testing programs for employees. Consistency also means end users developing and utilizing so-called best practices not just when they are being monitored, but each time they use a device that is connected to the Internet.
The second word — relevance — “has to do primarily with end users,” Hyde says. “If they can see the impact their actions will have on them personally and professionally,” there is a greater likelihood they will slow down and take the time to read through an email to determine whether it is part of a phishing campaign or an attachment that could contain malware, she explains. In other words, education, means using real-world examples to demonstrate how simple missteps can result in consequences that range from the need to change a password to financial ruin.
Of course, the approach must vary by industry and company size, but the biggest variable is available resources. “If an organization views education to prevent the potential losses associated with phishing and malware as an investment, resources will be allocated, regardless of an organization’s size or industry,” she says.
On the other hand, if an organization has not experienced a loss, or perhaps does not realize that it has experienced a loss, had an event that disrupted operations, or is not required to take action to maintain regulatory compliance, the resources needed to fund and support security efforts probably will not be made available.
“In my experience, larger organizations are more likely to make this investment,” says Hyde. Smaller organizations, while cognizant of the need for education and the ramifications of not educating employees, often want to provide training and even perform testing, “but don’t know where to start.” Further, the resources might only be available for a training or a campaign, but not an ongoing effort.
Testing and validation are important, she notes, but it is wise to start with data. “Testing employees prior to providing training is best because then an organization will have a starting point or baseline,” she says. Further testing should follow training.
Periodic phishing campaigns, like those conducted at Downstate, can help identify gaps, “especially when new threats become known or new employees are hired,” Hyde adds. Like education, testing and validation must be ongoing and not just take place when an organization needs to check a box because there is going to be an audit.
Simonson concurs on the importance of testing. Measuring the effectiveness of training and sharing results of these exercises with employees is also important. “Share the pass rate and some key concepts post-exercise,” she urges. And, as unpopular as the topic might be, Hyde says, when education fails, “risk management may mean reduction in the workforce.”
Technological assistance is another area in cybersecurity where organizations need to look through the proverbial fog. There are more phishing simulators, training technologies, and marketing hype about automation, optimization, and artificial intelligence than ever before, McGladrey says. He believes the best way to choose a tool is to create a focus group within the organization, including cultural leaders and technical experts.
“They should work to select two or three vendors and review the training and phishing options available and determine how well those would be received by the larger organization,” McGladrey adds. And, he notes, internal phishing campaigns should be coupled with an automated way for users to report phishing to a security analyst or security operations center.
Additionally, Hyde recommends some common-sense ideas for reducing risk. For example, aside from the obvious, such as filtering all incoming email, Hyde advises using monitoring to discourage the use of corporate email resources for personal use at work. “Suggest employees use online email services, like Gmail, for their personal accounts so that those emails are automatically filtered and the risk of infection from malware is reduced,” she says.
Lastly, adds Simonson, do not forget to think about the vendors and service organizations that come onto the property. Are they being vetted or trained to ensure they understand how to aid in managing the network and information security assets of the company?
According to the Travelers Risk Index, only 37 percent of businesses surveyed said that they have conducted a cyber assessment for vendors who have access to the company’s data. “It’s an important consideration,” Simonson says.
And, if you really want to get employees “on board” Brian Gill, chairman of Gillware Data Recovery, suggests taking things up a notch. One of the best ways to capture your employee’s attention is by incentivizing training and practice, he says. There are three incentives that motivate most employees — money, time off work, and free food. “With a combination of all three, you can create a captivating training experience,” he says.
For example, he says, you could try hosting a half-day event with catered food, where employees get the other half of the day off as an incentive for being in attendance. Beyond the actual training experience, you can continue rewarding employees for implementing what they learned. “An example of this could be employees who change their password every 90 days without you having to ask them will receive a gift card or a free lunch,” he adds. And yes, that kind of free lunch might just get people’s attention.
There is speculation regarding the potential to “automate people out of the process,” Hong says. “That is actually a good strategy if you can do it reliably; if you are certain that something is a scam, you should block it.” However, that is only a part of the picture. Big Fortune-type companies that can afford the most advanced security, still have breaches and they are still struggling. “Then there is the long tail of thousands of SMBs and mom-and-pop companies that can’t afford that kind of security; they will have even more of a struggle,” he says.
Thus, with no clear malware cure-all on the near horizon or even years out, training must remain a key area for investment, he adds.