What Your Employees Should Know About Security: Part 4 Conclusion

Created 7 years 59 days ago
by Rita Palmisano

Tags:
Categories: categoryTechnology
Views: 3227
by Scott Lewis

Traditional security processes and tests typically ignore the human factor all together because it is difficult to incorporate the human factor into a tool that is measuring conditions, assessment models and legal strategies. The newer models are starting to understand that we have a human target that has to be accounted for so security planning must include more than IT. It must include human resources, legal and communication departments as well as upper management, which all have to understand and commit to a new security model.

Where does the social engineering process start? Ernest Hemingway said it best: “When people talk, listen completely. Most people never listen.” People that are into initiating online conversations and phishing are great listeners and these conversations may come through common accepted media like Facebook, LinkedIn, Twitter, and other social media websites. It is widely understood, but rarely protected, that information is the most valuable commodity today, but we have become a society that wants to share and that is putting our companies and us at risk. People who have become experts in social engineering typically have skills in the area of psychology, a wide understanding of human emotion, IT skills, the ability to read body language and the ability to read responses to verbal and written communications.

What are the actual risks associated with social engineering?
A study by CFRIEL called “Social Driven Vulnerability,” which included multiple organizations with more than 12,000 employees combined using a Social Driven Vulnerability Assessment, tried to gain insight into the actual level of risk they were exposed to through social engineering. The tests contained several simple common tasks such as phishing and links to condition the tests. In the phishing tests more than 34% actually followed the link, and 21% actually entered company credentials into the fake site. The scary thing is that by simply adding certain logos and changing the wording these numbers quickly went above the 50% mark and continued to rise and the phishing attempt was socially engineered.

How do you mitigate the risks for social engineering? This is very difficult because we do not all fit into the same education level, we are all at risk to manipulation and we are all human and make human mistakes. The research still suggests that on top of the technological countermeasures that we put in place the best way to combat social engineering is through awareness and training for all employees. This awareness training has shown to improve morale and institute a culture of employees being security minded and security aware and not to be afraid of confrontation and challenging things that just don’t seem right.

It is understood it’s important - we have talked about a lot of things throughout this article, but what is the next step?

How do we get to the point where we have an effective security awareness training program? First, I think it is important to understand that if you think you can put this together internally or without senior management commitment to its success through implementation and enforcement of the objectives and results, then you are already undertaking a difficult, and perhaps an impossible, road. Security awareness starts at the top. This is where the success or failure is going to lie. The senior management is going to have to support the initiatives through both policy and enforcement of that policy, through budget allocation for security measures and countermeasures, which could be in the form of software, hardware or both.

Some of the key components of a security awareness training program are:
1) Company security awareness: This is the formation of the security awareness team. Not all organizations operate the same and the level of tolerance for security is going to vary from company to company, so it is important that you develop your own internal team that becomes the champions for the rest of the company. This team would establish corporate wide security metrics, determine appropriate training content and interface throughout the company on security initiatives.

2) Security awareness content: Due to the difference in management processes, corporate goals and objectives, determining the security awareness content is critical to the overall training processes.

3) Security awareness training checklist: Checklists are critical in assisting employees and companies through the awareness processes. The ongoing development of content, information dissemination processes and employee participation process can easily be managed through a checklist process.
4) Identification of threats, vulnerabilities and countermeasures
5) Mobile device security
6) Continued education programs

Security awareness is the key component to combat security threats of all kinds whether it is data protection, viruses, malware, external and internal hacking, ransomware or the emerging threats through the increase in mobile technologies. Protecting yourself and your business has to be an ongoing process and something that gets culturally engrained into your organization. It takes effort, time and commitment, and it has to be a budget item to ensure that you are funding the cause to countermeasure new threats as they emerge. If you think it won’t happen to you, you are wrong. Statistically speaking, it already has. You may just not know it, and you may have gotten off easy. The threats are getting smarter, harder to detect and they are doing more damage than ever before.

Scott Lewis is the President and CEO of Winning Technologies Group of Companies. Scott has more than 30 years of experience in the technology industry and is a nationally recognized speaker and author on technology subjects. Scott has worked with large and small business to empower them to use technology to improve work processes, increase productivity, and reduce costs. Scott has designed thousands of systems for large, medium and small companies and Winning Technologies goal is to work with companies on the selection, implementation, management and support of technology resources. Learn more about Winning Technologies at www.winningtech.com or call 877-379-8279.