Insights from Baan Alsinawi
By: Hunter Barrat, Technical Writer and Editor at Cerberus Sentinel
The Cybersecurity Awareness Month 2022 theme is “See yourself in cyber.” The goal is to ensure that everyone understands that they have a crucial role in protecting themselves and their workplaces by making smart cybersecurity decisions at work and home.
Organizations frequently use some method of security awareness training to educate their employees on how to recognize and prevent cyber threats they face from both external and internal sources. But it seems like staff aren’t getting the message: one particularly worrisome sign is that ransomware attacks are on the rise, and according to CSO Online, phishing spiked by 510% from January to February 2020.
I sat down with Baan Alsinawi, Managing Director at Cerberus, for her insights on security awareness training and how it fits in to an effective risk management program.
Q. I did a quick Google search on security awareness training, and the top results said that it wasn’t really effective because staff hate taking it. Given this, why do you think it’s important for organizations to have their employees go through security awareness training?
A. It’s important for several reasons—here are two. First, staff really need to know how to spot potential phishing emails and other scams. Unfortunately, most successful attacks start with employees falling for a social engineering campaign. That’s why everyone in your company, regardless of position or title, should receive training that educates them on how to recognize these phishing attempts. It only takes one person to click on that link or download that attachment to give a hacker entry into the company’s network. It’s also important that staff be aware of more mundane dangers, such as accidentally sending important emails or documents to the wrong person because they didn’t double check the name that was auto-filled in the To: line. And though it’s hard to believe a fellow employee could do this, insider threats are also a risk, with coworkers using their authorized access to their company’s networks and systems to leak sensitive information, steal intellectual property, or sabotage the company’s infrastructure.
And second, many regulatory frameworks have security awareness training requirements that companies need to follow: HIPAA, PCI, SOC2, SOX, COBIT, and ISO 17799, to name a few. And of course, NIST Special Publication (SP) 800-53 and the SPs based on it, such as SP 800-171, have an entire control family, Awareness and Training (AT), that affects other frameworks based on those guidelines, such as the upcoming CMMC 2.0. So organizations are required to show that their staff are taking this training to remain compliant with their industry regulations and pass their audits.
Q. If it’s so important, why don’t employees take it more seriously? And what type of training do you think would be more effective?
A. Let’s face it—as with most things, you get what you pay for. A lot of the training out there is boring—a poorly made video of a talking head droning away in front of what feels like an endless list of bullet points. It also tends to be pretty general and not relevant or specific to the company or industry where the employees work or to the different roles people have in their company. And the company’s management may not be fully invested in its importance, with, for example, it coming from the HR department instead of the IT or information security department, or those in the C suite not being required to participate. And it’s often pushed out once a year and then not reinforced on a regular basis.
So what’s better? Well, cost is a legitimate concern. But falling victim to a ransomware attack or data breach is catastrophically expensive, so investing in quality training is worth it. There are some professionally produced videos that are more engaging, with actors going through a typical scenario, or modules that use gaming techniques, such as escape rooms or virtual reality adventures. And hiring an expert to deliver training that is customized to the company is also a good option. The trainers can use actual situations that staff can relate to and include role-based sessions with hands-on exercises. Company staff can then follow up, say once a quarter, to reinforce the concepts.
And probably the most effective? To reword that old adage, tell your employees about how to recognize a phishing attempt, and they might think about it for a day. Send your employees regular and random realistic phishing emails and track who clicks on the links and who reports the attempt and then debrief everyone on the results, and they’ll think about it every day. Staff should also know how to report a suspected phishing attempt—clearly define yourorganization’s resources for reporting cyberthreats, such as providing IT and cybersecurity department personnel email addresses and phone numbers or having a button at the top of your Outlook that employees can click on to report an attempt.
Q. OK, awareness training is just one part of an effective risk management program. What are the others?
There are countless ways that cybercrooks attempt to exploit an enterprise’s vulnerabilities and weaknesses. They use the most sophisticated tools—often the same ones that companies’ information security teams use to protect themselves. And once they gain access, they can stay hidden for weeks or even months until they determine the best time to strike. The news is full of such breaches—the Colonial Pipeline and SolarWinds attacks in 2021 instantly come to mind. So it is very likely that every organization will be attacked—it’s really more of a when than an if.
There’s no easy solution to the problem. It takes hard work, taking preventive and proactive steps, and having layers of defense in place. I strongly suggest organizations of all sizes and in all sectors implement these best practices:
- Have effective auditing and alerting in place and an up-to-date incident response plan, with trained and ready resources that can instantly pivot to manage and contain the incident.
- Know where your corporate assets are, make sure approved traffic is whitelisted, and ensure software patching is always up to date or compensating controls are in place to protect where patching is not possible.
- Every day, back up and duplicate data and files so they are retrievable if your systems are compromised or attacked with ransomware.
- Install and update antivirus, network firewall, and data encryption tools to scan for and counteract viruses and harmful programs.
- Secure mobile devices that access your computer systems and networks as these are the most vulnerable entry points.
- Require your employees to use multifactor authentication (MFA) to access your computer system or network and to regularly update their passwords.
- Set clear policies and rules of behavior about using corporate assets for personal use and manage data leakage effectively.
- Invest in cyber insurance policies. They are your friend.
- Test your environment using threat hunting techniques to be one step ahead of the hackers; these techniques can help you discover your weaknesses so you can mitigate them.
- Look to independent resources to assess your security posture. Begin with a gap analysis and then implement the recommended changes to shore up your security posture.
To sum it all up: Your staff should learn security best practices, through the best security awareness training your organization can afford, and work to implement these cyber hygiene fundamentals into their daily routines. Make it a priority to put in place a robust cyber security risk management program that includes continuous monitoring, alerting, and an effective incident response and communication plan. The threat of being subject to a cyber attack is very real, but defending your enterprise by taking these preventive and proactive measures gives you a fighting chance of containing and/or minimizing the damage.