Accept that a softer initiative like security awareness still has a place alongside other technical controls
The threat landscape is expanding and mutating once again, with security threats dominating headlines over the past year.
The continued emergence of new threat vectors, together with the usual plain-vanilla data breaches through social engineering or credential theft, reflect that despite the broad range of security defences available, most security and risk professionals struggle to protect their organisations, reports Forrester.
But as organisations invest in sophisticated cybersecurity tools, Forrester analysts note the importance of reinforcing “human firewalls” through security awareness and training.
This approach reduces the chances that staff will succumb to phishing and social engineering attacks, according to a new report by Forrester analysts Merritt Maxim, Jeff Pollard, Amy DeMartine, Nick Hayes, Joseph Blankenship, Josh Zelonis and Andras Cser.
Human firewalls will always have flaws, but Forrester calls for greater security awareness and training for three main reasons:
- The significant percentage of cyberattacks and breaches stemming from human error or user manipulation makes any effort to reduce these odds a meaningful one.
- Security training should be seen as one element of a broader cyberrisk mitigation strategy, not the silver bullet;
- Security training is a compliance requirement for many firms already, so security and risk professionals should make it as effective as possible.
The report notes that over half of firms that suffered at least one branch did so at the hands of external actors.
Of these firms, 37 per cent report the breach was carried out through user interaction such as replying to phishing scams, clicking on malicious links, or downloading malicious email attachments.
Forrester’s advice: “Accept that a softer initiative like security awareness still has a place alongside other technical controls.
“Secondly, realise that, unless you have a communications background, you need help with the education and messaging components.
“This can be in the form of partnerships with other internal teams like HR, or soliciting security awareness tools that generate year-round programs with their own content and can measure your training efforts with phishing simulations and interactive dashboards.”
Forrester says security and risk professionals should not to be fooled by marketing materials that call these tools ‘antiphishing or antiransomware’.
“They are still e-learning solutions at their core, meaning the best solutions are those that offer creative and engaging content, not superfluous simulators and intelligence.”
Agenda du jour: Password security
The Forrester report aligns with messages across industries to raise awareness around password security.
World Password Day which is celebrated every May 4, notes how passwords are the gateway to companies’ private materials, but the importance of password security is often overlooked.
Peter Bailey, general manager of cybersecurity consultancy, Aura Information Security, echoes the advice from Forrester on security training and awareness:
“Perhaps our biggest piece of advice is that good security starts with staff education and effective security policies – and that includes never revealing your passwords to anyone, or including passwords in documentation (e.g. emails, work instructions, and application user guide).”
He advises the use of a password manager.
A good password manager (which is essentially a vault that stores all your passwords in one place and is protected by a master password) will help to make the task of setting strong, different passwords for multiple accounts far easier, says Bailey.
As these password managers rely on users setting a very strong master password, Aura recommends using a ‘passphrase’ – that is, a sequence of four or five words.
“These days, it’s length, not complexity, that makes a good password, so try to choose longer words that aren’t predictable or easy to guess,” he says.
Another advice from Bailey is to use two-factor authentication where it is available.
As well, don’t reuse passwords.
“If a hacker does manage to access your business password, having the same password for everything could spell disaster,” he states.
The same applies to employee passwords, sharing passwords between their personal and business accounts increases the chances that the password could be compromised.
He says users must never disclose or share their credentials.
“Cybercriminals are getting more and more sophisticated, but in our experience the same types of tricks that have been used for years by hackers are still the most effective – and that is social engineering,” notes Bailey.
“In other words, tricking an employee into clicking on an infected link, revealing a username and password or paying an invoice that looks like it has come from a legitimate source."
He concludes: "Most security breaches can be attributed to employee error…or ignorance.
"Employees who use weak passwords or use the same password across personal and work accounts can prove to be the weak spot that hackers use to penetrate your business. To ensure your business fosters a culture of cybersecurity awareness, regular training and education is key. If you don’t have a CISO to help lead the charge, there are some great online tools and employee checklists available from sites such as ConnectSmart.govt.nz and cert.govt.nz."
Send news tips and comments to firstname.lastname@example.org
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.