Why security training is key to improving cybersecurity posture
The threat landscape is constantly evolving and the shift to hybrid has only widened the attack surface. Today, organizations continue to be in the firing line as cybercriminals exploit their most used application: emails. The proliferation of phishing and business email attacks have seen hackers targeting the biggest corporate security weakness; employees.
Threat actors target workers because they are seen as the weakest link. Cybercriminals are thriving by targeting and exploiting staff, especially those who haven’t received effective user education and training. As the attack surface expands and threats become more sophisticated, organizations must reinvent the wheel by changing their approach to cybersecurity. Where should they start? With training employees and providing omnipresent tools and technology to prevent, detect, and recover from even the most sophisticated of attacks.
Remote and hybrid work creates new challenges
The shift to hybrid work has meant that home working has become the norm. However, while it has opened the door for better work-life balance, it comes with risks. Research shows that over half (63 percent) of UK office workers have admitted to using their work devices for both work and personal use. As such, it’s no surprise that the bad guys have accelerated social engineering attacks to take advantage, with more than half (54 percent) of IT leaders reporting a spike in phishing.
This comes at a time when cybercriminals are working to find new ways to trick users. Attackers are using automation to include corporate logos and email signatures in phishing emails, making them appear more realistic and harder to spot. Especially when organizations are using more suppliers than ever, making it harder to distinguish between legitimate partner comms and opportunistic phishing emails.
What’s more, the malicious domains used in modern attacks are often typo-squatted (i.e., registering domain names that are a slight variation of a particular brand) to appear more convincing. The introduction of internationalized domains (IDNs) has also opened up more opportunities for trickery, with attackers substituting letters with very similar characters from non-Latin alphabets.
Then there are even more sophisticated techniques, such as thread-hijacking. Here, user inboxes are hijacked via phishing attacks, and threat actors use automation scripts to sift through existing conversations in the victim’s email account to identify privileged users. From here, they might take a legitimate document, for example an invoice or an Excel budget tracker, add malware to it, and resend it. They could also use this technique to target executives and systems administrators that have sent messages and reply to their emails with malicious content.
Employee engagement needs a new approach
It’s extremely challenging for a user to spot a phishing email this well-disguised, so a dual approach of comprehensive training alongside state-of-the-art security hardware and software that can prevent, detect, and recover from attacks is needed.
A fresh look at employee engagement is required too. Businesses must understand that opening a two-way dialogue is critical to the health and longevity of a security setup. IT must listen to users about the obstacles they are facing at work. They must explain why training and security policies are needed. If employees understand the why, it will help to build a collaborative partnership and embed security into an organizations DNA. Everyone will start to take accountability, not just IT.
Comprehensive security education and awareness training programs are also a must. Employees should be taught what to look out for and how to identify suspicious emails. They should be shown how to verify the name of the email sender, as well as the domain name for the email address. They should also be educated on domain name structure, and taught to scan them from right to left to identify inconsistencies. In addition, staff should be taught how to spot typos in domain names and URLs.
Users also must be trained to be mindful of content from trusted sources. When they get an email from a colleague, or an external partner, they need to consider whether the message is something they expected to receive. Is the email relevant in the context of the email chain? Are email attachments opening as blank or not appearing as expected? If so, then something could be amiss.
Phishing simulations used in training should also reflect this, using current campaigns and real-world social engineering techniques to show users how tough it can be to spot attacks. Training should also guide users on what to do post-click, explaining how and who to report incidents to and not to be afraid to do so. Without notifying IT, there’s a far greater risk of damage being done.
Defense requires an army
Today’s approach to cybersecurity needs to become much more of a collective responsibility where everyone plays a part if defending the business. But, to achieve this, education needs to work hand-in-hand with endpoint security.
Some techniques, such as thread-hijacking, can be very difficult to detect, even for the trained eye. This is where endpoint security technologies such as micro-virtualization can help. Based on the Zero Trust principle of strong isolation, micro-virtualization ensures that potentially dangerous tasks -- like clicking on links or opening malicious attachments -- are executed in a disposable virtual machine separated from the underlying systems. This traps any malware hidden within, making sure attackers have no access to sensitive data and preventing them from gaining access and moving laterally.
By providing up-to-date, regular cybersecurity training and adopting layered endpoint defenses, businesses can build an army of employees and endpoint capable of defending the enterprise.
Dave Prezzano is UK & Ireland Managing Director at HP Inc.