There are many things that put your network at risk. The primary thing people tend to think about is “The Bad Guys.” Hackers. Corporate espionage. Saboteurs. There is also the concern of physical risks like fire, flooding, and earthquake. You may be surprised to learn that the number one risk to your network, by a lot, is your own employees.
I’m not talking about disgruntled employees who are intentionally trying to damage the company, I’m talking about your average, run of the mill employee like Jack in Accounting or Katie in Human Resources. Dependable people who come to work every day and do a great job. They don’t mean to put the company at risk; they just want to be as efficient and helpful as possible. They have no idea that their password is so weak that a beginner hacker could crack it in under 5 minutes, giving the hacker access to data you thought was secure. They are genuinely concerned when that email said payroll wasn’t going to go out on time, so they quickly clicked the link which downloaded a virus that encrypted the network and ALL mapped drives, effectively shutting down production for 40 hours and costing the company greatly both in downtime and repair costs.
When the technology changes so fast that even IT professionals can have a hard time keeping up, it can be very difficult for people to maintain an adequate level of cybersecurity awareness without a little help. That’s where understanding the basic components of cyber risk management and cyber security training come in, and everyone needs it.
The Top-Down approach
PCI, HIPAA, SOX, and FISMA all have personnel training requirements. Often, managers identify a training requirement in the security standard and, to maintain compliance, find some online training program, assign it to employees, and call that requirement satisfied for the year. In other situations, the company is about to go through, or even worse, is in the middle of an assessment when it is discovered that the training didn’t occur, so everybody rushes to get it done in order to pass the assessment. The problem with both of these scenarios is the mindset.
Assess your Cybersecurity Awareness Training
In these type of corporate cultures, security is “the ticket that needs to get punched” to pass the assessment. This attitude from management leaves employees believing that once the assessment is over, we can go back to ‘business-as-usual.’ Keeping the network secure wasn’t the point of the training — passing the assessment was. There is very little learned during the training, and even less retained. No one believes security is important because, in their perception, even Management doesn’t think it’s important!
On the other hand, if the COO just happened to be walking through and asked why a person was logged into a terminal but was not present at the workstation, employees may think, “Wow, cybersecurity is important!” In addition to regular training, there are often small reminders at departmental meetings, posters touting the virtues of data security on the wall, and the occasional spot-check to ensure everyone is paying attention. This company has a culture that encourages continuous security awareness and is thus, always ‘inspection ready.’
General Security Awareness Training
Cybersecurity awareness training is where everything begins. Everyone gets the basics, from the mailroom clerk to the CEO. This puts everyone on the same page and helps set the tone.
General security topics can include:
If users are educated about common attack methods and a few examples of successful attacks, they are more likely to take an interest in the training. What is the difference between spyware, ransomware, viruses, and worms? What exactly is a Denial of Service attack and what are the consequences of that? What is a Botnet and is my company’s server vulnerable to becoming part of one? These and many more questions can be answered by training for common cyber attacks.
Education regarding how to make a good password, examples of bad passwords, password storage, why they must be changed, and company policy regarding password management software are all examples of password management. People are often surprised to find out their password is on the “Top 25 worst passwords of 2015” list. “123456” and “password” are still commonly used. Sometimes users will think they are being safer with keyboard pattern passwords which are very easy to guess, not to mention easy to ‘shoulder surf.’
Knowing how email is used to attack, ways to recognize a possible malicious email, and what to do if you suspect a malicious email are all topics to touch on when training for general security. It’s a bit amazing that malicious emails are still out there, but the reason there are still being sent out at such a high rate is simple: They work. They are so inexpensive to promulgate that high enough numbers of emails can be sent out to make a profit even if only .01% of recipients respond. Email filters aren’t enough. Personnel need to know the signs and be vigilant regarding malicious email.
Share drive and cloud security as it applies to the user, security zones, media policy. Password lockout procedures are another great thing that can be covered in this section.
It truly is surprising how much information is publicly available on most people. This topic covers how social engineering is used to parlay that public information into usable information to penetrate the network of that person’s employer and how to make being socially engineered more difficult. Social engineering is such an important hacking task that at the DEF CON Hacking Conference held yearly, an entire room is dedicated to the social engineering competition in which contestants are given a hacking task and the fastest to solve it through social engineering wins.
This is a great place to help your people understand why your policies regarding physical security are in place and how they can help keep the place locked down. Why can’t I bring my phone in there? Why can’t I step outside the emergency exit for a smoke? Do I really have to close the door behind me instead of letting my co-worker in? From the locks on the doors to server room security and what ‘piggybacking’ is once again, an informed person is an ally.
The ‘in-the-weeds’ security regarding Server security policy settings, user policy, password unlock, and other IT professional specific items to be aware of. This is also a great chance to review the company Information Security Policy in order to validate its requirements and remind personnel what it contains.
What are your policies regarding letting go of employees and preventing angry people from lashing out via the network?
Secure Coding Training
Too often, code is written as an afterthought. Having a software development team is expensive, and companies expect results. Functionality always takes precedence over all else. I often see this as a security assessor. The problem comes in when, after the program is functioning correctly, it’s time to get it certified for PCI or some other security standard.
Unfortunately, adding the security features after the program is functional can be a daunting task. Think of it like this: modern cars have a tremendous number of impressive safety features including crumple zones, airbags, anti-lock brakes, etc. They are integral to the design of the car. Imagine trying to add all those features to a 1964 Chevy Impala. It would be an incredibly intense and expensive effort! Similarly, if programs are designed from the beginning with security features built in, it is FAR easier to gain compliance.
One great guide for secure coding is the OWASP top 10. OWASP stands for The Open Web Application Security Project. It addresses the consequences of the most common and most important web application security weaknesses. The top 10 provides basic techniques to protect against these high-risk problem areas and provides guidance on where to go from there.
Customized Security Training
If your company has any needs outside the ordinary and no IT security department, you may consider a customized security training that is designed to meet your needs. This may include specific training on the Payment Card Industry Data Security Standards (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes Oxley Act (SOX), or the Federal Information Security Management Act (FISMA). It may also be a good idea when you have had a major security incident, as a means of getting the company into a more security minded attitude. You can even hire outside entities to run a Continuous Security Awareness Training Program.
Testing can be a great way to monitor a portion of your security program’s success.
In a phishing type of test, individuals in the company are randomly sent non-malicious phishing emails by a trusted vendor. Data is automatically kept as to whether personnel interact with the phishing email, report it, or delete it. These results generate a percentage of responses which can be tracked. A continually dropping percentage in responses indicates a successful program. Unusually high percentages in responses may indicate a need for better training in a given topic or department.
Another common test is the USB test where USB drives are left lying around randomly. It is human nature to want to see what is on that USB drive. Sometimes people just want to see if they can figure out who it belongs to, so they can return it. Others want to see if there is interesting data on it. Regardless of their reasoning, if the drive gets plugged in, the information regarding the user and the machine is forwarded to the reporting software. Again, successful training can be tracked by percentage of plug-ins vs. turn-ins to the IT department.
In my experience doing managed IT and security assessments as a Certified Information Systems Security Professional (CISSP) and a Payment Card Industry Qualified Security Assessor (PCI-QSA), it is the company that understands potential threats and takes the defense of their IT assets seriously that stays secure. Ticket-punch online training practices and last-minute running around before an assessment does not make for a secure environment! Even if you pass the security risks assessment, all that is shown is that you are secure at that moment in time.
It takes much more to safeguard your precious IT resources and data — A Management Team that is dedicated to a secure environment, the resources to create and maintain that environment, and continuous effort to retain it. All of this should be documented in your company’s Information Security Policy (ISP).
Your ISP is a robust guiding document outlining both the general and specific policies regarding all aspects of the security of your company’s data. It should be broken down into sections, only one of which would address the training program. If you don’t have one, I recommend you get started on one today!
Considering the broad spectrum of training topics, it’s easy to see why choosing the right training can be confusing. People specializing in IT security can help you select the right training for your needs, don’t hesitate to reach out for assistance for all types of cybersecurity solutions.