This week, we have a guest blog post from Orlando Bryant, Cybersecurity Incident Response Consultant at NTT Security.

Employees are the biggest single cyber threat to organizations. According to data cited by Security Magazine, “employees are still falling victim to social attacks. Financial pretexting and phishing represent 98% of social incidents and 93% of all breaches investigated.” 

93% is an astounding number of data breaches that could be traced back to an employee.

While some “insider” attacks are the result of employees intentionally misusing their user credentials, many are the result of employees making unintentional mistakes without considering the impact such as, falling for phishing attempts, visiting malware-laden websites, bringing compromised USB drives or other personal devices to work, or sharing their user credentials with someone else. 

Jonathan Greig at TechRepublic wrote an article based on recent Proofpoint research: "According to cybersecurity firm Proofpoint, the 'vast majority' of digital attacks aimed to exploit the "human factor" through phishing attempts and related efforts. The Proofpoint research report stated “email remains the top attack vector. Attackers are adept at exploiting our natural curiosity, desire to be helpful, love of a good bargain, and even our time constraints to persuade us to click."

About 50% of all clicks on malicious emails occurred within an hour of it showing up in the victim's inbox. And 30% happened within 10 minutes of receiving the email. Hackers, either working on their own, with a group, or with a state-sponsored entity, attempt to take advantage of human trust. Nearly 55% of social media attacks that impersonated customer-support accounts were aimed at financial institutions. The report also noted that many of the attacks relied on social engineering.

Security awareness training has become a top priority for many organizations. Companies invest heavily in cybersecurity education programs for employees to learn how to safeguard company assets as well as their personal information, and learn how to be aware and identify cybercriminals malicious activities and their tactics, techniques and procedures – TTPs. 

Implementing security awareness training is a good start for organizations but measuring the effectiveness of the overall training program and each employee’s ability to effectively change their behavior is another thing. Most organizations require their employees to complete security awareness training during the new hire onboarding process and again only once a year for security compliance and policy purposes. These types of one-and-done training methods are not effective. 

Companies should conduct security awareness training when new employees join the organization, after a security incident occurs, and at regular intervals throughout the year. The training sessions should include real-world examples of what to do and what not to do, for example, phishing or social engineering email scams.

Companies should conduct security awareness training by distributing email-based tests/quizzes, simulated phishing emails that track end-user activity or web-based training tools. Everyone loves to eat, so hosting in-person lunch and learns are also a great way to get people in a room to learn about the do’s and don’ts of security and talk through scenarios and share best practices.

As I mentioned earlier, security awareness training should not be a one-and-done occurrence. Organizations should work to make security a part of the overall company culture so that security is always top of mind. SC Magazine recently interviewed NTT Security Americas CEO John Petrie on security and employees being the weakest link. According to John, security awareness training is a critical foundational, and still-too-often under-utilized tool that enterprises can and should enlist. John also states, “And I’m not talking about the once-a-year PowerPoint presentation, humans are humans and they will make mistakes. Training programs must evolve.”