During the first half of 2020, the FortiGuard Labs team found that evolving work environments and a greater reliance on personal devices presented new opportunities for cyber criminals to exploit enterprise networks.
By Renee Tarun, deputy CISO/ vice-president: information security at Fortinet
One method that threat actors have heavily relied on as of late is the creation of legitimate-looking phishing emails that can be used to tailor and launch attacks with ease.
While this is not a new tactic by any means, these types of social engineering attacks have only grown more sophisticated and damaging as employees continue to work remotely and remain isolated from their teams.
The need to mitigate insider threat risk
Whether they know it or not, employees can pose a significant risk to the security of enterprise networks and the data they hold.
Considering that 68% of organizations feel moderate to extremely vulnerable to insider attacks, as noted in a recent study, it’s clear just how significant this issue is. In addition to those that are considered malicious insiders, these threats can also be attributed to the group known as the “accidental insiders”.
According to this same study, security teams view falling victim to phishing attacks (38%) as the top cause for accidental insider threats, followed by spear phishing (21%), poor passwords (16%), and browsing of suspicious websites (7%). In other words, opening the door for cyber criminals can be as simple as clicking on a link or downloading a file without taking the time to determine whether or not it is legitimate.
Careless and negligent behaviours can have a lasting effect on organizations, especially in the case of a data breach. And with more employees working from home, unable to walk over to a co-worker’s desk to get their thoughts on a suspicious-looking email, these individuals are more likely to be susceptible to social engineering attacks.
With this in mind, it is more important than ever that CISOs prioritize their employees’ cybersecurity awareness to help them understand the role they play in keeping networks secure, and reducing the insider threat risk.
Creating a human firewall through a culture of security
Considering employees can be the best line of defence, it is crucial that CISOs protect their organizations by including employee education and awareness in their cybersecurity strategy. By embracing this technique, leaders can ensure the workforce is prepared to face the various threats.
Regardless of job titles or roles, all employees should understand the repercussions of a security event and how it could affect the organisation and them personally. The importance of this enterprise-wide strategic approach was highlighted in a 2019 Forbes Insights survey of over 200 CISOs. When asked which security initiatives they plan to prioritise in terms of funding over the next five years, 16% of respondents noted the creation of a culture of security.
While this is a step in the right direction, establishing a baseline for good cyber hygiene must begin with CISOs helping their employees take cybersecurity seriously. This can be achieved in the following ways:
* Prioritise cyber awareness training – Social engineering attacks are extremely prevalent across organisations simply because they work. In fact, Verizon’s 2019 Data Breach Investigations Report (DBIR) found that approximately one-third of all data breaches involved phishing in one way or another. To combat this risk, CISOs must educate their employees about common attacks that could appear in the form of phishing, spear phishing, smishing, or other tech support scams. Whether these lessons are provided through online meeting spaces, video chat, or email, they should be prioritised. Understanding these threats and their associated red flags will be critical in helping employees avoid falling victim to fake emails or malicious websites. In addition to teaching about common indicators of cyber scams (i.e., the promotion of “free” deals), these training offerings should also feature simulated phishing exercises designed to test knowledge and determine which employees might need more assistance. Through tactics such as these, employees will be better equipped to know when they are the target of a social engineering attack and can, therefore, act accordingly. Fortinet’s NSE Training Institute offers a free Information Security Awareness training service to educate employees about the increasing risks of cyberattacks and how to identify threats.
* Create a partnership between the security team and other departments – Cybersecurity cannot fall on the shoulders of the security and IT teams alone; especially as cyber threats continue to grow more sophisticated and challenging to detect. In addition to ensuring that employees can identify phishing attacks, leaders should also encourage collaboration between the security team and other departments. This means helping both sides understand expectations. While the security team will be the expert in terms of determining the risk and threats, other departments will be critical in helping to develop user-friendly policies that are easy to follow both in the office and in remote work environments, even for those who are not entirely cyber aware. Through collaborative efforts, CISOs can ensure that all individuals across the organisation are not only aware of security policies but also understand the impact their actions can have on the organisation as a whole. Helping employees understand safe cybersecurity practices and the ramifications their actions can have should lead to improvements in how these individuals respond when confronted with a suspicious email or website, even while working from home. When employees know what is expected and feel like they are a part of the team, they are more encouraged to follow best practices and help chip away at the behaviours that cause accidental insider issues, such as forgetting to change default passwords or neglecting to use strong passwords. And as more employees follow suit, the human firewall acting as the first line of defence to the organisation will only grow stronger.
* Establish straightforward best practices – Even once employees are made aware of what to look for in the case of a social engineering attack, they may still need some guidance when it comes to next steps. While it is easy to ignore or delete a suspicious-looking email, what about those that appear normal that the receiver is still unsure about? In this scenario, CISOs should encourage employees to ask themselves certain questions to help make the right judgment call: Do I know the sender? Was I expecting this email? Is this email invoking a strong emotion like excitement or fear? Am I being told to act with urgency? While these questions should help clear up any confusion in regards to whether the email is malicious, the receiver should still take extra steps to protect themselves and their organisation. This includes hovering over links to see if they are legitimate before clicking, not opening unexpected attachments, calling the sender to verify they actually sent the email, and reporting all suspicious emails to the IT or security team. By explaining these steps to their employees from the beginning, CISOs can avoid negative repercussions down the line.
The ability to be cyber aware is a critical piece of the puzzle when it comes to keeping organisations secure. Whether employees realise it or not, their actions could open the door for cyber criminals to access sensitive information, meaning passivity towards security is no longer acceptable.
By prioritising training and collaboration between departments and the security team, CISOs can lay the groundwork for a strong culture of security. Identifying suspicious behaviours, keeping devices up to date, and practicing safe cyber behaviour should be built into the fabric of all job roles to ensure that the human firewall continues to stand firm.