Can Awareness improve the Security Posture of a Modern Enterprise?
95% of Security Breaches have one common factor: Human Error which stems from Awareness. If we do the reverse math, Cyber-Aware Employees could have minimized 95% of all breaches; a fact important enough to establish the need for Employee Cyber Awareness forming a clear Business Requirement. The World is Not [Yet] capable of self-securing IT-Infrastructure and sustaining Information Security. Even if the best cyber security solutions and technology are deployed, the administration is still in the hands of humans; they are the ones to configure, maintain, upkeep and fine-tune and "To Err is Human." Making mistakes is a core part of the mortal's living experience - it is how we grow and learn. But in cyber security, these mistakes are often overlooked. Numerous successful security attacks from external hackers prey on mortals and their weakness to bait employees to unknowingly provide them with access to confidential or sensitive information. Human error can manifest in various ways: from having weak or easily guessable passwords to failing to install software security updates on time and turning over sensitive information to phishing emails. These mistakes can be expensive since they involve privileged insiders with access to the most confidential information. The most significant impact of successful security attacks involving insiders is theft of intellectual property, exposure of sensitive data, and the preface of malware. Most security threats that directly result from insiders are caused due to innocent mistakes rather than the vicious abuse of privileges. While there can be endless opportunities for human error, they can be categorized into skill-based human errors and decision-based human errors.
- Skill-Based Human Error The skill-based human error consists of minor mistakes while the end-users are performing everyday activities and tasks. In these scenarios, the end-user is conscious of the correct action that needs to be performed to avoid error but fails to do so due to brief lapse, mistake, or negligence. The primary cause is a distraction, not paying enough attention, or being tired.
- Decision-Based Human Error As the name suggests, decision-based errors are when a user makes a wrong decision. Several factors play into this: often, it includes the user not having the required level of knowledge, not having adequate information about the circumstance, or not even realizing that their inaction results in them deciding to do nothing about the situation.
Factors causing Human Error
Many factors come to play into a human makes a mistake, but most of them come down to these three: lack of Awareness, opportunity, and Environment.
- Lack Of Awareness A significant chunk of human errors is caused by end-users not being aware of what the right course of action is in the first place. If we consider an example, where the users aren't aware of the potential risk of phishing emails are far more likely to fall for phishing attacks, and someone who is not aware of the risks the public wi-fi networks possess will undoubtedly have their credentials harvested. We cannot wholly blame the user for the lack of knowledge - but should address this to ensure their end-users have the required knowledge and skills to keep themselves and the organization secure.
- Opportunity The opportunity is presented in the same tasks we perform on any day at work; there is always something to go right or wrong. The lack of know-how of what and how something can go wrong increases the chances of making mistakes. Use a simple math to quantify these opportunities; an organization of 1000 employees working 260 days a year performing 10 tasks on any typical day presents approx. 2.6 million opportunities translated to 13000 opportunities @0.05% wrong rate in a year, with 0.05% exploitation success rate, a hacker has 65 opportunities of Human error, meaning 65 successful attacks and a cost of a data breach can mount up to millions of dollars. It is evident; It is just a matter of when?
- Environment Several environmental factors can make errors more likely to occur. The workplace's physical environment can significantly influence the number of errors while performing specific tasks or activities. Factors such as temperature, privacy, noise level, and posture can contribute to a more mistake-prone environment within the office. The end-user feels uneasy and distracted, which can lead to the making of a mistake. In addition, culture plays a significant role in the Environment. Often end-users are aware of the right course of action for a situation but fail to carry it out because there is an easier way to do certain things, or maybe they misinterpret the importance of those things. For example, a culture where security practices take a backseat will become more prone to common errors, resulting in severe consequences. To secure an Enterprise, human errors can be carefully managed and prevented with continuous and relentless efforts. Of course, it is best to eliminate opportunities for errors as much as possible to achieve error-free processes. But the same cannot be achieved without educating the end-users on the correct actions and risks these errors possess. Therefore, it is imperative to approach human error from both sides to create an absolute defense strategy.
- Reduce the opportunities
- Workplace Ethics: Modifying your work practices, routines, and technologies to reduce the opportunity is the best way to start the mitigation efforts. While the path to achieving this depends on the organization's specific activities and environments, some standard guidelines are mentioned below to mitigate human error opportunities. It is worthwhile to deep dive, understand 'What level of security is enough?" and form a strategy and objective before attempting to alter Workplace Ethics.
- Identity and Access control: Identify and classify Data, ensure that only authorized users have access to the data and functionality absolutely required to perform their roles, and employ segregation of duties. Identity and Access Control Management dramatically reduces the amount of information exposed, limiting the damage even if the end-user commits an error that could lead to a cyber-attack or breach.
- Authentication Management: Credentials must be provided to prove the Identity based on something the entity is or knows or has. The use of passwords has changed how we live and interact with various systems. Passcodes to passwords to pass-phrases to biometrics, cost becomes the deciding factor on choosing the security requirement. Password-related mistakes are probably the most common human error risk. Applications such as Password manager allow users to create and store strong passwords without having trouble remembering them or risk writing them down on post-it notes. And it should be compulsory to use two-factor authentication across the organization to add an extra layer of protection to the end-user accounts.
- Change the Culture Many organizations thrive on Safety with a culture that is non-negotiable and is centered in every employee's thought processes. However, with the changing nature of doing business in the modern world, organizations must also include security in the organizational design and practices, which is the key to reducing human error. In a security-oriented culture, security is derived based on risk and is a priority consideration in every decision-making, and end-users will actively look out for and discuss security-related issues as they encounter them. There are several things we can do to help build a security-oriented culture in an organization. Such a thought process is a cornerstone that can change the way an organization functions.
- Encourage discussion: The best way to ensure that security stays at the forefront in an organization is to get people talking about it. Threats can be identified by discussing topics on security and ensuring that they are relevant to the end user's day-to-day work practices to help them engage and be motivated to pursue security concepts. This will also encourage them to see what they can do to help keep up the organization's security and keep security attacks and breaches at bay.
- Make it easy to ask questions: The end-users probably come across situations where they are unsure of the security implications as part of the learning process. In these situations, it's always wise to consult a subject matter expert rather than making the wrong choice by themselves and risking the organization's security. Therefore, ensuring that a cyber security expert is always available to answer any question from end-users in a friendly manner and rewarding users who bring up good questions will undoubtedly positively impact.
- Address lack of knowledge with Training: While reducing the opportunities for error is vital for the organization, approach root causes from a human perspective. For example, educating employees on security basics and best practices allows them to make better decisions and keep security as a priority in their mind, and seek further guidance when they're not sure what the consequences of specific actions are.
- Train employees on all core security topics: human error can manifest in many ways; continuously training them on various threats and imparting the essential security know-how relevant to their day-to-day work activities can improve human efficiency, security throughput and build organizational resilience. Threats emanating from the use of the internet, email, social media, phishing, and malware training are just some of the general topics that Training should cover.
- Training must be engaging and relevant: The employees have limited attention spans and need to ensure that their Training is engaging and interesting. Using images and video content in interactive training courses is far more effective than hour-long PowerPoint sessions. Training should not come in yearly sessions, which the employees forget a week later if they are not provided with hands-on exercises regularly throughout their work life. Using Cyber Security Solutions to simulate attack scenarios and involving employees in identifying and thinking of possible alternatives to respond in such situations should be the ideal intent of such a Cyber Awareness Training Program.
When prioritized as an organization-wide requirement, a well-structured Cyber Awareness Program is the need of the hour to attain the desired goals. However, like any other business requirement, Training also has to justify with the help of a Business case. In simple terms: latest "Cost of a Data Breach 2021" – an IBM Report pegs the global average total cost of a data breach at $ 4.24 Million. According to another report; Small and Medium Businesses might go out of business in a few months after being hacked. Below are a few more alarming facts.
- A Proofpoint Risk report outlines – 45% of US workers trusts Public Wi-fi
- 14% of workers in the UK have unlocked smartphones
- Many workers share organization-issued computers with family and friends
- Kaspersky's report on IT Security Economics confirms the root cause of 50% of the reported incidents from SMBs as Inappropriate IT Resource Use by an employee.'
- As per Netwrix 2020 Cyberthreat Report, more than 50% of organizations report that employees ignore cybersecurity guidelines.
- A Google/Harris Poll Study confirms that more than 50% of adult users have and share their guessable weak passwords.
- Ponemon in their State of Password and Authentication Security Behaviors Reported IT Professionals are the worst offenders. It's a straightforward and reasonable business case for any chief executive. Such a Cyber Awareness Program should be tasked as an Enterprise Risk Management objective in line with Information Security Management. Once prioritized, the organization should bring in Cyber Security Expert Consultants to formulate the Purpose, Objective, desired outcomes, and a Cyber Security and Risk Governance Plan. Many of the CISOs would agree that a mere presence of a Security Team is not an answer for a holistic Enterprise Cyber Security as security staff struggled to contain sophisticated cyber-attacks despite a well-equipped infrastructure with the latest tools to secure it. Employee Cyber Awareness and Training remains a prime challenge for security teams across many organizations. Enterprises procure modern security gear to protect their businesses from cybercriminals. However, they fail to train their workforce with the technical know-how of the tools procured for their defense unless businesses expect "commercial pilots" to fly "fighter jets" with the same ease and finesse. It's a fair argument that human error is not considered a cause for many types of cyberattacks, but the human presence can never be eliminated from any cyberattack equation, and that human intelligence is the best defense against any malicious activity on the internet, says Cofense's Annual Phishing Report-2019
Define Enterprise Security Goals
Before attempting any Cyber Awareness Training, it is imperative to have Enterprise Security Goals defined and agreed upon as one of the most critical aspects that every Business Leader can accept, acknowledge, and comply. Unfortunately, many Organizations have goals disintegrated and distorted away from Cyber Security only to fall prey to breaches due to the lack of Awareness. Technology is upgrading itself at a speed that any organization cannot measure, and so are the attacks. Today, enterprises need sophisticated tools and expert training to use those tools for a defense to outpace the attacks. Such employee training programs make them better equipped and confident to recognize and red flags. This will, in turn, reduce cyber breaches. In recent times, companies have been eager to avail themselves of "cyber insurance" along with "health insurance." However, it is observed that such insurance policies often include employee training funds that can be used for security training. Such monetary funds can genuinely help enterprises arrange security training without which they leave the business vulnerable to high risks and threats by every minute.
Planning for a Cyber Security Awareness Training Program
The Cyber Security Awareness Training design should be based on the Enterprise Risk Assessment outcome, which accounts for all plausible cyber threats that an organization is vulnerable to. It is worthwhile to note that Cyber Security Awareness is not about tools and technology such as firewalls, anti-virus, data, and endpoint protection. Still, it's all employees' knowledge about various risks and threats an organization is exposed to and build resilience against them. A successful Cyber Awareness Training Program should contain the following steps.
- Define Enterprise Risk Profile Each attribute brings a unique set of challenges as the requirements they need to cater to differ at large. Once defined, Business, Employee, and Work profile attributes are to be categorized based on the collective risks they are exposed to. A good security risk management or cyber security expert can help qualify and assess the severity and allocate priorities at the Enterprise level.
- Strategy Based Training Once all the risks are identified, the business executives will identify the topmost risks the Enterprise faces and adopt a strategy to mitigate them via awareness training. There may be more than a few risks at the enterprise level; however, it's best to combine the risks into training categories to help address them collectively. A Cost-Benefit Analysis can help evaluate further options. The strategy would be to define to what extent the risk can be minimized and at what cost. For example, it may be costly to deploy an efficient email security solution immediately. Instead, training the email users to be fully aware of different types of phishing and social engineering attacks and preparing them with response methods would be far more effective.
- Define Success Criteria Security training can be an expensive affair for the management, but it can be worth the spend when backed by a well-defined ROI or success criteria. First, decide who needs the Training and why, how the security training will address critical issues for the business. For instance, you can design a simulation to reduce phishing cyber risk.
- Send a fake phishing email with a bogus link in it to all employees.
- At the same time, track if the security engineers were able to flag the phishing attack.
- Track how many of them opened the email and even clicked on the link.
- Track the time taken for security engineers to pick the attack and mitigate it.
- Simulation results will explain how many employees adhere to policies and procedures.
- On the other hand, Security engineers will understand the gaps in the system that need to be addressed. Simulation is just one of the various other low-cost techniques such as audio and video training; quizzing the workforce with attractive prizes can also be a great way to give them a short break with a game. Furthermore, awareness training is an alternative to enterprise security solutions such as Endpoint Detection and Response or Extended Detection and Response or any promising SIEM solution that enhances the organization's overall security posture in the long run.
- Evaluate Training Options Based on the success criteria definition, the organization should choose the best Training mode apt to address the identified risks. For example, a Fire and Safety demonstration and hands-on is more appropriate for a Physical Security Risk. On the other hand, an email phishing simulation is best for social engineering risk. The intent of the Training should be to aim towards improving the employees' risk awareness and the ability to comprehend when risk is materializing in a real-time scenario and respond effectively and efficiently.
- Ensure Training Compliance To ensure the Awareness Training is being adopted across the Enterprise, one of the organization's senior executives has to be sponsored and socialized and walk the talk. In a Top-Down Approach, all the seniors would spread the Awareness Training need and curriculum to their immediate team members and follow through. Other ways to adhere to compliance are as below
- As a part of Work Procedure - Mandatory and Recurring
- Annual Learning Requirement based on simulation failure incidents.
- Hall of fame Incentives included in the appraisal
- Included in the Employee Performance Dashboard
- Effectiveness and Continuous Improvement Any cyber awareness training program is only considered effective when measured against the organizational goals. Training effectiveness measurement supports and validates the business case and must be reviewed with all business owners for training compliance. The measurement process also can extract feedback and user behavior analytics providing essential insights into security perception at the organizational level. With Cyber Security Awareness Training, organizations have improved their stand to identify and mitigate actual cyber-attacks for 80% of the time than before. Technology is ever-evolving, and so is the attack surface and its sophistication. Depending upon the extent of Business dependency on infrastructure and its sustenance, It is advisable to constantly map the Training needs to the risks faced by the evolving business and continue such Training twice or thrice a year with a cyber risk protection mindset for a better and mature workforce who runs the businesses for you.
Cyber Awareness and Training is a profound Cultural Shift and requires Executive Sponsorship and Drive. Committing to such an organizational change event calls for funding in the long run and requires consistent emphasis. FnCyber has the right mix of potential and delivery excellence to partner in such great journeys. FnCyber thrives on building cybersecurity functional resilience and practices cyber Awareness as its core discipline only to Improve the Security Posture of any Modern Enterprise.