People Are Your Weakest Link
If your organization believes that People are your greatest security weakness, then you, like many other organizations, likely test your employees on a regular basis to spot phishing emails, follow proper protocols when “vendors” show up at the door unexpectedly, or keep confidential information safe when talking on the phone. If this is the case, what steps does your organization take after an employee fails a Social Engineering Test? Do you have a conversation with the employee? Are they held accountable in some way? Are they rewarded for successfully passing a test and properly reporting the attempted incident or suspected phishing email? Or, like many organizations do you do nothing? If your answer is nothing, it’s time we talked about why holding your people accountable will lead to a stronger security culture.
To start, let’s ask a different question. If your organization caught an employee skimming money or stealing confidential information, what would you do? To that same extent, what do you believe would be a more impactful threat to your organization - internal fraud or someone clicking on a phishing email and downloading malware onto your network? Many organizations are quick to terminate for fraud and quick to make excuses for failing a Social Engineering Test. They often say things like “Cybersecurity is a new concept; they didn’t know any better.” Or worse yet, “That’s just (Insert employee name). He fails every year, but it’s not a big deal.” Still, according to the 2017 Data Breach Investigation Report by from Verizon, 66% of malware linked to data breaches or other incidents was installed via a malicious e-mail attachment. If you don’t want a breach at your organization, training and testing must be considered a critical item. Furthermore, action must be taken after the testing is complete to hold our employees accountable and instill the seriousness of what could happen if the test had not been merely a test.
Almost a year ago, Jon Waldman, Executive Vice President of Information Security Consulting for SBS Cybersecurity published an article titled “Testing Your People – Creating A Culture of Security.” Please take a few minutes to read this article, as it will be the basis for the rest of this post. You can find the article here: https://sbscyber.com/resources/testing-your-people-creating-a-culture-of-security.
The three key points in the aforementioned article are to
- Test your people
- Create a culture of security
- Don’t create a fear of security
In our experience, many organizations fall short when it comes to point #2 because they fear offending or alienating co-workers. So how do we create a culture of security without a total fear of that security? By developing a robust Security Awareness Program with a system of rewards and potential penalties for social engineering tests.
Reward the Best-Case Scenario
Let’s go back to the diagram from the previous article. If we want to create a truly robust program, we need to develop a reward or penalty for both the best-case scenario (Ignore + Report) and the worst-case scenario (Cover It Up). Let’s start with the Ignore and Ignore + Report end points from the diagram.
The key in a good Security Awareness Program is to convince employees to take the extra step. What incentive will encourage them to go from the “neutral” option of simply ignoring or deleting a suspicious email or activity and get to the “Good” option of “Ignore + Report”? Organizations should consider ways they can reinforce the positive behavior. One potential positive-reinforcement method is a points system. With each successful Ignore + Report, the employee earns “points.” Those points could be spent on company branded clothing, casual/dress-down days, bonus vacation days, or food. Alternatively, you may also consider tying the positive Ignore + Report behavior to an employee’s annual review, which may include provisions for a raise or a bonus structure.
Hold People Accountable For The Worst-Case Scenario
Now let’s circle back around to the Click/Download Chain. The worst-case scenario from a Social Engineering Test is to have an employee fall under the “Bad” option of “Cover it Up.” According to the 2017 Verizon Data Breach Investigation Report, time-to-discovery after a data breach is often months or even years. The reason for this is many networks are configured to keep bad guys out, but we aren’t great at detecting them once they are inside.
Therefore, it’s critical to train employees to report all manners of attack – successful (if you clicked on something) or failed (if you deleted that email, but you think it was a phish). Once again, what incentives will take an employee from the “Bad” or “Cover It Up” to the neutral of “Report”? Once again, we have two options: positive reinforcement or negative reinforcement. As an organization, you should consider both.
If the employee stays on the “Bad” end of the spectrum, the organization should strongly consider negatively reinforcing the action. Some ideas for penalties may include requiring additional training, losing a vacation day, working an extra Saturday, unpaid leave, or even potentially termination (if the behavior persists). If the employee goes to the “Neutral” end point, work towards the positive. Getting back to Neutral may be considered a “Get out of Jail Free” card. You might also consider similar rewards as the “Ignore + Report” column but on a smaller scale.
Creating A Culture Of Security
An example of the “points” system mentioned above may look like the following: a “Good” behavior is worth two (2) points, a “Neutral” behavior is worth one (1) point, and “Bad” behavior is worth negative one (-1) point. Then offer different rewards and penalties based on the total points an employee has earned. You may even hold employees to a certain standard of “acceptable risk,” depending on how often you test your people. For example, if an employee ends up with negative points for the year, you may want to consider taking further action with that employee. Conversely, you can set a goal for which employees may strive and compete. The first employee to +10 points on the year wins a valuable prize!
The moral of the story is that we must work towards holding our employees accountable for performing actions or behaviors that could potentially cause our organizations great harm. An employee skimming a few hundred dollars from a drawer will not cause our business to close its doors, but an employee clicking on an email that lets a hacker into our network could very well spell the end of your business. Create a culture of security that holds everyone accountable, and you will see a dramatic increase in the way your employees respond to Social Engineering Tests.
Written by: Jeff Dice
Information Security Consultant
At SBS, we want to help make sure you are building a culture of security at your organization. SBS has always had a training and education focus, and we’d be happy to help provide some cybersecurity training to your People. Additionally, SBS has partnered with KnowBe4 to provide your organization with the ability to test your People through automated phishing email assessments. For more tips on building a cybersecurity culture at your organization, take a look at the 10 Key Ideas to Build a Cybersecurity Culture infographic.
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.