Human Risk and the Impact of Security Awareness Training
Many of us travel for work, and as such, we must connect to a number of untrusted networks in order to stay on top of things. These public networks, while seemingly non-threatening, can be a hostile environment with malicious users seeking to extract any sensitive data they can, such as credit card information, personal information, and passwords. Some may say that this is unlikely and that if there was a malicious user on a public network, they would be protected with the use of encrypted services. However, I would argue that this is not the case at all. Often adverse agents will use “passive” monitoring techniques to intercept data being sent over the network. This can be accomplished with any packet sniffing tool but will only allow an attacker to see traffic that is “in the clear” or unencrypted. If an attacker intends to intercept data transported via TLS, SSL, HTTPS, or from encrypted services like Gmail, Slack, or Dropbox, they need a way to subvert the in-transport data protection mechanisms.
One of the most common methods an attacker can utilize to defeat transport encryption is a Man-in-the-Middle (MIM) attack. At a high level, an attacker can sit in-between a target user and the secure service they are communicating with, break the established secure connection between the user and the service, and force unencrypted clear-text communication of information back to the victim – data that can be easily captured by the attacker. This all happens in the background, almost seamless to the user. In such an attack, the only noticeable difference is likely to be the use of “http” vs. “https” in the address bar of a browser or a missing lock icon, which is likely not enough of a warning to alert the user to what is happening unless they have been trained to detect such an event.
If users do not understand basic attacks that can deceive them into letting attackers through the front door, it is bound to happen and remains a legitimate concern for their organization. Human risk is difficult to mitigate, even though it is one of the easiest and most common weaknesses for an attacker to exploit. Organizations are realizing this, and rethinking how they provide security awareness training to their employees. Security Awareness has long been a compliance-based necessity, but more and more organizations are reaching beyond compliance and trying to achieve best practice standards.
Educating your employees on common cyber threats like SSL spoofing, phishing attacks, and social engineering can reduce your organization’s human risk level. According to Forbes magazine, in 2015, companies spent $1 billion annually on security awareness training in attempts to reduce human risk. When combined with testing procedures to collect relevant metrics, a security awareness program can have very real, tangible effects on your organization’s overall risk. However, building out an effective, mature, security awareness program is not a small undertaking. Understanding what training to provide to particular employees, and how to then test them to ensure they are able to apply the information can be difficult and time-consuming. As organizations begin to recognize the value in addressing human risk, the need to implement security awareness capabilities programmatically and strategically becomes ever more necessary. Approximately 70% of cyber attacks use a combination of phishing and hacking techniques, with the increase in technical security and hardened defenses, end users are proving to be easy targets for attackers.
If your organization is struggling with controlling human risk and implementing an effective security awareness program to do so, CyberSheath can assist you in constructing a program to train your employees on a variety of security topics in order to enable a broad security mindset, and address behavioral risks as they relate to security and ultimately reduce the number of security events due to human risk. We provide services that assist clients in building and maintaining security awareness programs that not only meet compliance requirements but go above and beyond to impact an organization’s human risk level through effective policy/program design, implementation and a proven metrics framework.