How to fight phishing and other attacks with security culture

For all the headlines about zero-day exploits and advanced threats from state level attackers, the truth is that most cyber attacks are much more mundane. In fact, a great many attacks are barely technical. Instead, the attackers rely on human error.

Last year, 76 percent of companies reported being a target of phishing attacks, with 56 percent of those being highly sophisticated spear-phishing attacks that used personal information about a target to create a more believable ruse. Ninety-five percent of successful attacks on enterprise networks start with a spear-phishing attack, according to SANS institute. Even with emerging attacks such as the SIM hijacking used to bypass 2 factor authentication, the weak link is often human error rather than a machine.

Automated defenses can help with these kinds of attacks, but the best defense is a good security culture — a well-trained, vigilant workforce that doesn’t easily fall for phishing attacks or other tricks, and which reports incidents quickly. Even when attacks avoid detection, a good security culture helps the organization respond immediately and effectively, which helps mitigate damage.

Making your culture more secure

Although such a secure and effective team might seem out of reach, a more secure company is closer to reality than you might think. It is true that you probably won’t be able to build a world-class security organization like the ones found at Google or Dropbox without a lot of time and money invested. However, it’s equally true that this shouldn’t be your goal.

As with many topics in security, it’s actually the simple things that matter most. Making a few changes to how you train your employees, how you talk about security, and how you model best practices can do a lot to protect your workforce against phishing and other social engineering attacks. Perfect defense is hard to attain, but you can be much more secure with a lot less effort (and cash) than you might expect.

Here are some tips to begin building a security culture within your organization:

• Start with the basics: It can be tempting to train your entire workforce on advanced security topics, but this is unlikely to give you the same benefit as establishing a good baseline. You should focus your security education efforts on the simplest mistakes that create large data breaches — password safety, anti-phishing, and operational security around sensitive company data. Even this will take a lot of time to instill in your workforce, so getting it right should be priority number one. Once you’ve got a good baseline, you can think about expanding your education and culture-building efforts.
• Make security a part of employee onboarding: In addition to training existing employees on security, one of the best ways to make security culture effective in your organization is to design standard curriculum for all new hires. Not only does this give everyone common knowledge to draw from, but it communicates the importance of data security right up front. Security onboarding should include security measures the company expects employees to adhere to and (importantly) the rationale behind them. The goal of this should not just be rote memorization and compliance, but an understanding of the threat landscape and how good security practices protect employees and the company. If your team understands why they should do the things they’re supposed to do, they’ll be more likely to recognize danger and react appropriately in the moment.
• Start a security channel in Slack: A great way to increase the visibility and awareness around security is to set up a channel for security discussion in a corporate Slack server. This can be a place for all employees to post and discuss the latest data breaches and news about developments in security. It’s also a way for the security team to communicate security developments within the company and answer questions from interested employees. Ongoing discussion displays the transparency necessary for a good security culture and knowledgeable foundation for employees. Teams value what they pay attention to.
• Make it easy to report suspicious activity: Good corporate security requires the entire workforce to promptly report anomalies. In a data breach situation, the sooner a threat is reported the more likely it can be contained. However, many companies don’t make this as convenient as it should be. Don’t just establish an email address and leave it at that. There should be multiple channels for reporting anything suspicious — email, Slack, social media, security office hours — and be sure that they are easily found and available. Additionally, reporting an incident should not result in discipline. Instead, it should be considered a responsibility with no negative repercussions. Employees should feel secure coming forward with concerns.
• Never just say no: A good security culture means that employees seek feedback from a security team when they have a decision that could impact corporate safety. Yet this cuts both ways — the security team also owes it to other teams not to be an impediment to their ability to do their jobs. If every interaction with security has negative results, employees will feel far less comfortable, and the security team will quickly find itself sidelined. If a proposed idea isn’t feasible for security reasons, the idea should be discussed. Security should work collaboratively with business organizations to meet objectives with high standards in cyber defenses.

A good security culture takes time to build. It takes effort, patience, and transparency, but the result is a more collaborative effort to defend against data breaches. That ultimately means a safer company, happier employees, and a better work environment.

Originally published at blog.fleetsmith.com on December 17, 2018.