Beyond training: why organisation-wide security education is just one piece of the puzzle

null

It’s European Cyber Security Month throughout October and industry stakeholders are doing their bit to drive improvements in user awareness and education. Given the scale of online threats facing organisations today, that’s only right. But we must remember two important caveats. User education has to go all the way to the top to be truly effective, as it’s the C-suite that holds the purse strings to future infosecurity investment. And even then, these awareness programmes can only go so far. Ultimately, the “people” part of cybersecurity best practice must be driven alongside “process” and a layered technology approach.  

On the frontline

The endpoint increasingly represents the frontline when it comes to the battle against cyber threats. This is partly because it offers attackers a perfect opportunity to target what they view as your organisation’s weakest link: its people. Phishing attacks are endemic today. They accounted for 93% of data breaches analysed by Verizon last year. But they can also lead to ransomware, banking trojans, crypto-mining malware and much more. There’s also a growing endpoint risk to IoT devices, which often remain under-protected despite offering an attractive beachhead into corporate networks, and/or opportunities to sabotage key business processes.

If you’re hit, remediation and clean-up charges, possible legal costs, and productivity losses can all mount up. But customer attrition can be even worse: a quarter of UK consumers said they’ve boycotted firms that mishandled their data. Then there’s the regulatory impact: GDPR rules leave nowhere for firms to hide. It’s no surprise that costs from endpoint attacks rose 42% from last year to this, at an average of $440 per endpoint affected.

Educating up

Given the scale of the challenge, it makes complete sense to improve user awareness. Well targeted bite-sized lessons in best practice security like how to spot phishing attacks can help turn your employees into a solid first line of defence. It’s also recommended by both the GDPR and NIS Directive to help drive a “security by design” culture within organisations.  

But training must be organisation wide. This includes technical teams — for example in-house or contracting developers. Increasingly, threats such as crypto-jacking take advantage of web coding errors, which makes it essential that they understand the importance of security in the development lifecycle.  

Education must also go all the way up to the top.  

Why? Partly because the C-level has access to highly sensitive documents, and is also more likely to fall for scams. The largest group (41%) of  infosec pros polled recently claimed this demographic was most likely not to follow IT department rules. But more important than this: without C-level buy-in, security initiatives may perish and you could be left exposed in crucial areas like patch management. You need stakeholders at the top to help create that all-important organisation-wide security culture.

Beyond training

Yet although company-wide user training and awareness is essential, it can’t alone stop threats. Human error means mistakes will always be made. This is compounded by the fact that many cyber-attacks don’t rely on humans at all. The infamous WannaCry and NotPetya ‘ransomware’ attacks of 2017 spread more like a traditional worm, scanning for exposed SMB ports and then using the EternalBlue exploit to infiltrate networks. NotPetya then used customised versions of Mimikatz to grab network credentials from privileged accounts which it used, in combination with PSEXEC and WMIC, to spread laterally inside organisations.

All of which makes it essential that organisations combine user education with layered security controls. Visibility is the first step, requiring the IT team to have a clear view of all their hardware and software assets. Then it’s about enforcing policy through automated patch and vulnerability management to protect against known threats, and application control to mitigate zero day risks. Research suggests organisations typically take 102 days before patching, with 64% compromised by a zero-day threat. Consider privilege and identity management, ransomware remediation, and data encryption to further build out those layers of defence.  

There’s no silver bullet for this. But the good news is that by following industry best practices, you won’t go far wrong.  

Chris Goettl, Security Evangelist at Ivanti