Top tips to create a culture of security (Hint: it's not more training)
Enterprises investing ample time and money in secure email gateways are still seeing fraudulent messages being delivered to their users’ inboxes undetected. In fact, phishing attacks are the origin of most breaches today.
Many organizations have therefore turned towards user security awareness programs; training staff to recognize and avoid the threats that make it into their inboxes. Why then, despite these efforts, have the number of breaches originating from phishing attacks grown every year since 2017?
Adoption of Security Awareness Training (SAT) accelerated as an annual tick-box exercise dictated by compliance requirements and cybersecurity insurance issuers. It’s since become the de facto guidance for any organization struggling to prevent another successful social engineering attack like business email compromise. It has also become the primary tool in the Culture of Security kit.
Enterprises must strive to create a culture that results in sound security behaviors as part of an employee’s day. Training users is critical for ensuring they understand the organization’s policies and corresponding expectations of their members, but it doesn’t create a culture. Creating a culture requires users and security analysts to actively work as a team daily, supporting each other and reinforcing expectations and lessons learned in training.
There are a few practical steps that any organization can implement to enable their staff to defend the business. These measures combine technology and user awareness to create an active protective shield against real email attacks rather than fake ones.
It is impossible for any cyber security system to detect all threats, all the time, without pressurizing users and admins with false positives and delayed email delivery. However, it is possible to provide users with mailboxes that contain a smaller number of threats.
Most organizations aim to block malicious emails at the perimeter, when it is far more effective to apply continuous automated threat hunting where the threats live -- in the mailboxes.
This method has proven not only to apprehend attacks that were missed by secure email gateways and Microsoft 365, but also provide strategic visibility into previously undetected spear phishing, ransomware and business email compromise (BEC) risks.
Implementing this method alongside SAT is extremely beneficial for the enterprise. By removing the pressure on employees to mitigate every single threat themselves, the staff instead position themselves as part of a wider and more strategic company security posture.
Creating a positive environment
SAT is essential for compliance with PCI DSS, HIPAA/HITECH and SOC2. Furthermore, a part of security training involves users being stimulated with fake phishing attacks, which is a useful rehearsal for identifying real attacks. For the latter, many organizations have implemented processes on the back of their SAT program for users to report suspicious messages to their security team. However, the security teams rarely investigate all these alerts and almost never provides feedback to the reporting users. Feedback is critical so users are rewarded for spotting real threats or given real-world training when they generate a false positive. This loop of user reporting and analyst feedback creates a positive environment and teachable moments that fosters a culture of security in a way that training videos and quizzes cannot.
Another key factor in creating a positive environment is using self-service tools alongside real-time cues applied to suspicious messages. Self-service tools include add-ons to email clients that allow users to request and view results for security scans of a message. Cues are automatically generated in-message warnings when advanced detection models like Machine Learning spot indicators of business email compromise or other subtle attack type. When combined, these enable users to apply lessons learned from training to enrich automated detection rather than expecting users to bear the entire burden of detecting evasive threats.
Empowerment vs Training
For a business that needs to develop its cyber security culture, security awareness training is only the start. Creating and reinforcing a culture of security requires building upon SAT to equip users to participate in the active defense against real cyber-attacks.
Harnessing SAT alongside automated detection demonstrates to employees that their organization has realistic expectations from them. Employees should not feel that the fate of a breach rests on their shoulders but should feel empowered to play an important role in actively defending their enterprise. Executives can even provide tools for users to scan suspicious content themselves, exacerbating a holistic organization-wide approach to security.
Without proper security training, even the best tools can be rendered useless. When executed correctly, not only does SAT put your organization in a better position from a cyber insurance and regulatory requirements point of view, but it also creates an environment where your employees are proactively engaged in minimizing online risk to help to bolster your security posture.
Mike Fleck is Senior Director, Sales Engineering at Cyren.