The role of education in fighting security breaches [Q&A]
When securing systems most people's thoughts turn to the technology of firewalls, anti-virus programs and so on. What’s often neglected is the human aspect.
Many breaches are down to poor password practices or falling for phishing emails, things which can be prevented with better education. We spoke to Stephen Burke, founder and CEO of security awareness specialist Cyber Risk Aware to get his views on how awareness training can be used to drive better behavior and make businesses more secure.
BN: What's the starting point for awareness training? Do you need to audit the data and who has access?
SB: No, that's not necessarily our role. We want to raise awareness of what people should be doing. In terms of assessing the level of risk and getting a baseline on how susceptible the business is to phishing emails, we're running simulated attacks that look as real as possible. Once you assess which user or department is more susceptible that helps in terms of being able to see the problem, then you can target training based on those initial results.
Ultimately the content we have helps companies and staff understand how to set strong passwords, how to spot phishing emails, how to identify websites from the URL, all things which people are often never shown. These are all the practical skills people need to have and companies need to be advocating.
BN: Once GDPR comes into force there are some strong penalties, could it be better to use training for 'first offences' -- rather like speed awareness courses are given to drivers?
SB: Having been a CSO myself in various sized companies, the smaller organizations in particular don't have the technical expertise in security because they're focused on running the business. They tend to have an immaturity around this, they are reliant on outside help. For smaller companies to be hit with a large GDPR fine for a data breach when they haven't been helped in advance on how to tackle the issue I think would be a bitter pill to swallow. It would be far better to encourage companies to be helped to raise awareness among themselves by taking awareness training and understanding how to protect data.
If there are small and medium enterprises that are going to struggle with this it would be a far better way to get them on board to say, "here's some training" rather than hitting them with a big fine that could put them out of business. The economy needs jobs, you don't want to be putting companies out of business, there's a balance to be achieved. If someone has been helped and their awareness has been raised and they still have issues, then they need to be held accountable, which is what GDPR is about. You could have a fine on notice -- like a suspended sentence -- to ensure companies take the training.
For large organizations it's a different issue. They are fully aware of their obligations and they have the means to deal with them. Even so some large businesses will be struggling with this too. There are going to be large banks and other institutions that simply don't have a handle on where their data is and who has access to it. It's difficult, especially with a mix of legacy and other systems, but that's no excuse, they've had a long time to be aware GDPR is coming.
BN: We've had an example of that this week with Uber where the breach seems to have been caused by developers uploading live data to a test site. Are there lessons to be learned there?
SB: Yes, and that's not without precedent. There have been incidents elsewhere where companies have exposed test data. This all goes back to sound practices, people understanding risks and what they should and shouldn't do with data.
It's also about the response and how you handle it. To pay a ransom as Uber did and not tell anyone what had happened is incredible. I think one of the top things we'll see change next year is incident response. Businesses need to conduct tabletop exercises around this to get the right people into place. We've seen on many other occasions, TalkTalk and Equifax for example that the response to a breach is not done right. It's important for executive teams to understand that you don't want to exacerbate a bad situation as it can damage the reputation of the business.
BN: So there needs to be recognition that it's not just an IT problem?
SB: Absolutely, which then goes back to GDPR and executives needing to be fully aware of the responsibilities that they have. They need to be in a defensible position, to explain what they've done and why they've done it. That's important for GDPR where fines will be based on what actions have been taken, The less companies have done the higher the fine.
BN: Could awareness training become tied to getting insurance against data breaches?
SB: Insurance products have always focused on post-breach, containing events, helping forensic investigations, loss adjusters, it's all been after the fact. I'm saying to insurance companies why not have your clients do pre-breach work to stop claims from happening in the first place.
By providing a pre-breach service with awareness training, simulated phishing attacks, cyber knowledge assessments and training, that's a win-win for the insurers as they're going to prevent claims so they're less likely to have to pay out. We already have insurers who have purchased our service for all of their clients so they have access to our platform for free. Because it's included in the premium, companies that wouldn't necessarily have the maturity to be aware or invest in training get it as part of their policy.
In particular, SMEs are where a lot of cyber insurance claims are happening, purely because they’re being targeted. They don't have the technology, they don't have the expertise. Giving them this training boosts the 'human firewall' that helps them avoid security incidents.
BN: Does this work at all levels of the organization? With people in accounts for example who might be targeted with phishing emails, fake invoices, etc?
SB: The biggest issues right now are ransomware and fake CEO emails which lead people to wire money to fraudsters. There are big sums involved, so by helping companies recreate these scenarios in a controlled way we help their staff experience what it could be like.
It won't necessarily be a nice experience but it's far better to make a mistake under controlled circumstances that with a cyber criminal. When people feel that they've been fooled there's an instant reduction in the risk because they never want to feel that way again. The training content reinforces that message, teaching how to spot phishing emails, how to set secure passwords and not reusing passwords across accounts.