Every high-profile hack reminds C-suite executives of the stakes involved in their cybersecurity program. Then the budget swells for the task of safeguarding a company’s data, even as senior management frequently don’t have the expertise to decide how best to prioritize the various elements of a program.
It becomes easier to hire a small army of vendors – each with their own promise of additional layers of security without knowing if vulnerabilities remain – even after the all that time and expense.
Reality is that there will always be vulnerabilities, because the weakest link of any program is the employee that ends up clicking on the wrong email and unlocking the whole system for an intruder.
Cybersecurity efforts consequently need to begin with the end user in mind. This means a security awareness program stands at the center of any effort, with regular training and testing of employees. In case that employee still clicks on a suspicious link, there should be incident response plan to prepare for a worst-case scenario.
There should also be advanced endpoint protection in place to ensure that any breach caused by a user is contained. In addition to that, IT departments should log and monitor to stay vigilant for potential threats.
According to Verizon’s 2017 Data Breach Investigations Report, 43 percent of breaches begin from social attacks (attacks based on the human element), with 90 percent of those employing some variety of phishing. In short, employees can make the most robust cybersecurity programs irrelevant by inviting the hacker into the system by clicking on an unknown email.
Experts say that is often due to an insufficient security awareness program. The best programs involve an assessment of the current set-up, training that is tailored to an employee’s unique learning capability and testing of that awareness on an ongoing basis.
That first step is to evaluate the efficacy of the current awareness effort through tests and mock phishing tests, and examining recent employee activity. “Ask yourself how many times users have inadvertently introduced malware into the environment by visiting a malicious website or attaching removable media to company machines. Did they notify IT, or was the malware found via detective technical controls?” says Candice Moschell of Crowe Horwath. “Understanding the root cause of your incidents can reveal potential program gaps.”
A survey of employees’ security awareness can also highlight frequent gaps in knowledge, which can then become a key topic of subsequent training initiatives. Experts warn that these surveys reveal a shocking lack of knowledge on the part of employees, but can also give any future training effort real focus.
After the survey is complete and the results reviewed, experts stress the need to create a risk-based approach to training. “Employees who pose a higher risk for cybersecurity, either through business function or through lack of education, should be trained more frequently,” says Moschell. For example, HR staff are frequently targeted by phishing scams due to their access to high value personal information. Accounting staff can also be frequent targets due to their access to financial information.
Once employees are prioritized by risk, the training effort needs to be further tailored to the unique learning styles of the employees. Cybersecurity experts caution against one-size-fits-all programs, with a reliance on slide deck-driven, computer-based training.
FOUR WAYS TO MITIGATE CYBER-RISK
Test and train: Take the time to survey employees’ security awareness and develop a training program to address those with access to sensitive information or seem likely to click on that anonymous email.
Develop incident response plans: Include any relevant non-IT staff who might play a role in responding to the fallout from an attack.
Employ advanced endpoint protection: Research and test these extra safeguards to protect a company’s highest value data.
Upgrade logging and monitoring efforts: Comprehensively log and monitor normal activity to better identify anomalies when they arrive.
Instead, awareness training should include some mix of more proven methodologies. One is mixing mediums through a combination of videos, social media and personalized emails. Two, the gamification of training, such as offering security versions of classic games like Jeopardy or Balloon Pop, has proven to tap into intrinsic physiological responses that motivate staff. Three, security issues can be translated to the real world, with examples that include their personal lives, that can further instill lessons into an employee’s thinking.
That training should be followed up with another survey of security awareness, within six months of the initial training effort. But the evaluation shouldn’t end there. “The most common gap in cybersecurity awareness training programs is the lack of testing employees as it relates to phishing,” says Chris Wilkinson of Crowe Horwath. “So the IT staff or an outside vendor should do phishing testing, as there are tools out there that provide this functionality, to see how employees will react.”
Wilkinson noted that some organizations are rewarding those employees who do the right thing and notify the appropriate party of the suspicious email. “This encourages a culture within the company of being diligent in inspecting email contents and reporting suspicious activity,” says Wilkinson.
Tracking the metrics of such exercises can also shape further training sessions, as it will identify employees who habitually lag on awareness issues, and determine if a company’s security awareness is actually improving.
Even if employees score off the charts in security awareness, that doesn’t prevent momentary lapses in judgment, not to mention the threats that don’t require clicking the wrong link. Therefore, another key element of a cybersecurity is the development of incident response plans, so the organization knows what to do in the event of a breach.
This requires an assessment of the biggest risks for a particular organization. One IT expert inside a large corporation stressed the need to focus on the most sensitive data a company has within its network, whether that is personal details such as social security or credit card numbers or banking information for individual investors. There can’t be a plan for every eventuality, but there can be a set of processes for likely ones that would target the data a company is most concerned about compromising.
Some common incidents worth planning for include malware outbreaks, denial of service attacks, web defacements, account compromises, internal privilege misuses and third-party breaches. One IT chief argues that the key elements of this plan are procedures for containment and eradication before anything else, to limit the damage of a given breach, even if its impact has already been felt.
Impacts to consider include outage of a customer-facing website; sensitive company information publicly available online; a news headline featuring a security lapse; or a third-party notification, such as law enforcement or an internet service provider. Those impacts should dictate who contributes to that incident response plan. “Information security and IT will take the lead in developing a response plan,” says Wilkinson. “But depending on the kind of incident, legal, marketing, external affairs and business units will also play a role.”
This requires periodic verification, so that each group is aware of their responsibilities in an event of a breach. Any room for interpretations in these duties might lead to scrambling and responses that make the breach even worse.
Thankfully, there have been advances in cybersecurity tools to help prevent a company from having to execute any of those worst-case scenario plans. Advanced endpoint protection solutions, commonly known as endpoint detection and response (EDR), can improve a company’s ability to detect and respond to outsider and insider threats by supplementing the traditional signature-based technologies for richer behavior-based anomaly detection and visibility across all endpoints.
To achieve this type of visibility and protection, an organization must determine what assets they wish to protect and what type of integration value the EDRs can provide. Again, it’s a matter of determining the highest risk areas and making them a priority for protection. Organizations should evaluate multiple EDRs and perform a cost/benefit analysis of them to determine the best one that fits their organization.
LOGS AND WATCHDOGS
Most end users won’t be aware of these additional protections, but some IT staff will face limits on what they can install and what programs they use. “Advanced endpoint protection, especially whitelisting solutions, can restrict the installation of software and the execution of arbitrary programs that have not been approved and deployed by the IT or Info Sec departments,” says Wilkinson. So, it’s important to work closely with the internal staff as EDRs are installed to avoid any hiccups.
It stands to reason that the better view an IT staff has of ordinary functions, the swifter they can recognize any suspicious activity. The security information and event management (SIEM) solution becomes a central point for all security events and alerts as well as operational events and alerts. While other tools will be used for visibility and deep dives into data and systems, investigation efforts all start at the SIEM.
However, experts note that the most mature organizations also integrate operation logging and monitoring to provide additional context to both operational and security relevant events. Additionally, the best cybersecurity programs build and maintain activity baselines that alert on anomalous activity within the environment. These baselines provide alerts and insight into activity that may not be malicious in nature, but represents a change in what is “normal.” “This type of detection can be invaluable in early detection of a breach or of an impending operational issue,” says Moschell.
In a best-case scenario a mature logging and monitoring program incorporate logs from the various layers of technology, including servers, workstations, databases, network and applications.
“This information should be aggregated into a single location and correlated for activity that needs to be investigated, thus giving companies greater visibility into what is happening on their system,” says Wilkinson. “Mature organizations are leveraging security assessments such as penetration testing to test the effectiveness of the program and improve alert settings to incorporate more advanced levels of attacks.”
Like every other element of cybersecurity, it requires doing more than installing a lock. That lock should be tested and retested to ensure its viability against hackers who are constantly evolving to beat the best safeguards.