IT departments all over the world have long struggled to protect their organization’s identities against attackers who try to access information. In recent years we see an increase in cyber-attacks focused on phishing and obtaining user access to penetrate organizations’ data. It’s no wonder, therefore, that many IT people say that employees are the weakest link in the identity security chain. According to an Osterman Research, Inc. study, only 20% of IT team members are confident in their users’ ability to avoid clicking a scam link.
Per the Verizon DBIR from 2016, 23% of all cyber-attacks on organizations focus on phishing methods, and this number is on the rise. Add to it that, when tested, 13% of employees (even tech savvy or executive management) fall prey to phishing attempts – meaning over a tenth of your company’s workforce will statistically still click on dangerous links or download suspicious files. Moreover, according to a McAfee research from 2015, global cybercrime costs were estimated at $450 Billion, and The World Economic Forum places the cost of cybercrime in 2016 at $445 Billion.
If these numbers are not enough to cause a concern, attackers are getting increasingly sophisticated. Uses of spear-phishing (a targeted phishing attempt that uses personal details), or even distributing free malware infected USB devices around the workplace are more common. Given the ability to frequently get access to employee credentials, combined with Active Directory privilege escalation methods that can allow attackers to gain admin access, it’s easy to make the case for employee education.
Of course, as the department responsible for IT or security in your organization, you would want to assume a chunk of the responsibility. You already implemented robust security solutions to defend your organization’s information in case of identity theft. However, all this does not mean you cannot treat your workforce as the first line of defense, instead of thinking of them as the weakest link. Education and training are key in achieving these goals.
Education and training plans
According to a recent Osterman research, only around 20% of IT team members believe their end-user training is sufficient to serve the organization against phishing attempts – today’s employee education is simply not enough. Moreover, over half of IT employees believe it’s highly likely that someone in their organization will fall prey to phishing if exposed. The same research says that IT team members in organizations where there are employee security awareness trainings at least twice per year, have more faith in their end users.
So how do you deal with these concerns, especially given the increase in phishing and malware sophistication? Start with the following steps towards bettering your employee education and increasing your trust in end-users.
Establish detailed policies
Most organizations never compile detailed policies to share with employees on which technology tools are officially allowed/not allowed by the company, or what are the demands regarding passwords, encryption, social media usage, personal connected devices, etcetera. Establishing and sharing your policies could align employees and make the grey zones in technology usage vanish completely.
Make best practices known to employees
People don’t always have the ability to find the best practices that fit their level of permissions/access and your organization’s requirements. By making best practices known to your employees, you will make it significantly easier for them to defend the organization’s perimeter. For the most part, people in your organization do not mean to be the cause for a breach, they just need to know what to do to be better defenders of their realm. Where possible, you should enforce the best practices (for example, setting up mandatory password policies). But you can’t enforce everything, so share your knowledge with others. Not everyone understands the dangers in scam emails, file sharing software, social media, or public Wi-Fi.
Create training plans that work
While more than half of organizations have some sort of security awareness training, many find it’s not as effective as it can be. But if you invest in training, you can design for effectiveness from the get go. Avoid superficial tutorials, or quarterly 2-minute video clips. Build a comprehensive education plan that goes beyond the occasional emailed PDF to the entire workforce. If you want,, there are vendors to help you build and conduct the training. Once you explain to executives how high the costs are for identity theft and how susceptible your employees may be, the ROI on such training will become evident.
Test! Test! Test!
Even if you shared best practices with everyone, it’s important to remember that phishing is evolving and attackers are getting increasingly sophisticated. Therefore phishing is still a major concern in many organizations. Companies that perform phishing simulations, typically find they have at least one susceptible employee. The best way to tackle this issue is by conducting random simulations: random groups, random times, and random personalized-phishing templates. You should expect that all your workforce will participate in the tests eventually. Evolve your tests as you hear about new and emerging phishing methods. The results are almost guaranteed to come as a shock that will rattle people enough and they will be more mindful of phishing and its results going forward. Testing can also benefit you because it can indicate to you where the major vulnerabilities are in your organization, so you can invest more education where it is needed.
All these best practices should significantly reduce your users’ susceptibility to malicious attacks and identity theft. But even so, you should be realistic. You will see that your workforce is increasingly becoming more efficient in defending the security of your organization’s data, but it will not make you 100% attack-proof. It’s eventually up to IT and security departments to increase defenses, swiftly discover any infiltrator, and save the day when a breach was detected.