As shown in the previous blog post already in detail and hopefully haunting, awareness can defend many attacks successfully. To do this, companies need to develop an awareness strategy to successfully motivate employees to recognize and ward off social engineering.
In this context, I recommend anyone who is in IT security, but also the management, Kevin Mitnick’s book – The art of deception – ISBN 0-471-23712-4 – to read. Who has the opportunity to attend one of his lectures, it is worth it.
In 2004 I was fortunate enough to meet Kevin and his family in Athens at the ISMF conference and was allowed to listen to his lecture. A really eye-opening lecture, because he clearly showed that social engineering in connection with “hacking” is many times more effective than technical hacking without social engineering.
Out of this fact, awareness is “only” part of the IT security strategy but in my opinion one of the most important, in addition to APT (Advanced Persistant Threat) defense and endpoint security (a later blog article).
Has it never happened to you, that you have opened an email because suddenly there was an invoice in the inbox, for things you never ordered, or a reminder? It is in our nature that we – startled – open such phishing emails. For me, the principle applies: “What can not be, that must not be!” Therefore, I have made it my policy to first click on the sender to see which real email address is behind it. I.e. I am a customer of Postbank and the sender is Postbank, but behind it is the email address X7213@grogie.ru the real sender, I will delete it immediately. People without awareness will – however – open this email without further examination and since these look perfect these days, they open also the attachment and bingo the malware has struck.
In addition to phishing (the widespread sending of mails infected with malware attachments), which mainly hits private users, there is still the much more dangerous spearphishing (targeted sending to specific people). While your company’s security mechanisms are likely to detect phishing mails because the signatures are most often already known (just by the frequency of occurrence over a period of time), spearphishing mails are targeted and it can be assumed that the malware attachment is specific to the target person(s). The mail was specifically designed and did not occur so far. Then your company’s security mechanisms will struggle to identify and eliminate it correctly. This increases the risk that the email gets through and is opened. Here, awareness is the last bastion.
But how do you create awareness in companies? The Awareness Program !
Basic requirements for an IT security awareness program
• 100% commitment of the CxO level and the management
• Multi-level program to constantly increase the maturity level
• Must be able to respond to current / new dangers in a timely manner
• Promote a point-system and incentives
• Provide a reporting office for security incidents, where it can also be reported anonymously
• Offer security advice – also for the home use
What makes a good awareness program?
In my opinion, there are only 7 steps that characterize a good awareness program. It is very important that the private sector of the employees is also addressed. Why ? Certainly, there will be some employees, to whom the company is far less important than their private protection. In order to capture these employees, it is important to include the private sphere, because the likelihood that what live in security at home will also be lived in the company. Here are the 7 steps in detail:
1. 100% CxO and Management Commitment
Before embarking on anything else, you ask for the strong support of the CxO level, which gives you more freedom, budget, and acceptance of other departments. It’s best to remove any hurdle here with reference to compliance, the new IT security and privacy laws, and the suggestion that an incident – not to mention a loss of reputation – can be far more expensive than the Awareness program.
2. Choose the Awareness program carefully
A rapidly purchased awareness program will seldom meet your needs. A few powerpoints and training videos are not enough to meet your goal. What you really need is:
3. Include all departments, but also the employees
4. Test the success of the Awareness program
The awareness program must be measurable. Therefore, you should, for example, Conduct internal (spear) phishing campaigns periodically before a department has completed the training(s) and after. Such tests can be performed on any new topic that a department has gone through in terms of training and give you a measurable amount of success, because you have to be accountable to the budget and the success of the program to the management.
5. Allow and direct instead of prohibition
Certainly there are things in dealing with data and IT, that must be clearly forbidden. But instead of communicating to the employees that they have to keep away from social networks, the acceptance of the awareness program is much higher, if you instruct the staff how to safely (at home and in the office) deal with such information and services.
So do not be the prohibition department but be more the helping hand.
6. Create incentives
A reward (point) system creates incentives for employees. This can e.g. in the context of the internal phishing campaign, in which the people who noticed the Phishing Mail and reported them are mentioned positively in the next newsletter. Award points for any voluntary training or workshop and praise things that are given away to the employee when the points are scored, mention these employees in the newsletter.
7. Use your marketing tools to look into the future
Employees hate nothing more than suddenly faced with perfected facts of IT and IT security (system changes, new applications, new rules etc.). Use your marketing tools to make employees aware of future changes. Of course you need the support of IT and IT security that they disclose their plans to you early enough.
Of course, each of the points listed here can be broken down into numerous sub-points, but this is only an overview of how a successful awareness program could be structured. Just as companies are different, their awareness programs will also be different.