Effective staff training and awareness programmes are widely regarded as a vital pre-requisite for a strong cyber security posture. In fact, they form part of GCHQ’s “10 Steps” best practice guidance document for organizations. However, developing the right programme and enterprise-wide culture can be difficult, especially without buy-in from the board. Part of the problem stems from the fact that many business leaders simply are not interested in cyber security. They regard it as something affecting everyone in the organization but them.
Well, here is a fact that might surprise you. In new “human vulnerability” tests conducted by NTT Security on behalf of customers wanting to evaluate their risks from all angles, we even found senior management compromised organizational security in as little as 10 minutes. Holding a mirror up to the board and senior management like this could be a great way for IT teams to secure funds and accelerate education programs.
The weakest link
We all know that corporate cyber security is only as strong as its weakest link, and more often than not that weakest link is the human interface. That’s why it’s so disappointing that only 44% of global companies have communicated an information security policy to their employees and just 22% believe those employees understand them, according to our Risk:Value 2017 report.
Poor levels of user security awareness have made phishing one of the most popular ways for malicious actors to launch advanced info-stealing attacks. According to some estimates, the tactic was present in 21% of attacks in 2016, up from just 8% the previous year. Humans can be socially engineered to hand over their log-ins by phishing emails and scam calls, or to download covert malware by opening malicious attachments or clicking on malicious links. All too often, they make the bad guys’ job even easier by reusing passwords across multiple accounts, or using easy-to-guess or crack credentials.
Human error also accounts for a growing volume of highly preventable but damaging data leaks. Freedom of Information requests sent to UK data protection watchdog the ICO reveal that staff mistakes accounted for almost half of all breach incidents reported to the privacy watchdog over the past couple of years.
Often, senior management hate security policy. It gets in the way of their daily schedules and is seen to be a block on productivity. Many think it’s simply not relevant to them, making it challenging to kick-start comprehensive training programmes for the entire workforce. So how do we break this vicious cycle?
The value of board-level ‘hacking’
NTT Security has a novel approach. We perform personalized vulnerability testing (in agreement and on behalf of the customers) to find out just how security-aware or otherwise senior management actually are. It is unrelenting. Our team will use all means possible to get those log-ins; whether that means sending convincing phishing emails, making fake password-reset calls to the help-desk, shoulder surfing in local cafes, or brute forcing passwords.
The results of trials in the Nordics have surprised even us. Managers who took part ended up spilling their secrets in as little as 10 minutes, putting their entire organization at risk. On average, we found that 70% of the managers are easy targets for motivated attackers.
Holding a mirror up to senior management like this cannot only help to improve security awareness at a senior level but also create a more security-conscious culture from the top down. It might even persuade the board to release funds for more effective training programmes for all.
By putting more thought into this area, we can finally begin to turn that weakest link into a formidable first line of defense.