Information security is a vast subject. We spend a lot of time talking about patch management, vulnerabilities, policies and best practices yet we seldom talk about another important aspect of security - the people using your network.
Many still question the merits of staff cybersecurity awareness. If an organisation were to invest time and money to increase its employees’ security awareness, would it get any tangible benefits or would this just be a waste of time?
Before answering this question, we need to see what tangible benefits we can get from cyber security education and we need to consider the risks we’re trying to mitigate.
High-level security talks deal mostly with risks associated with our systems and with keeping our information confidential and secure.
This may seem like a small list but as any security professional knows the number of attacks that threaten each of these core items is huge. Luckily, an IT administrator doesn’t have to fight this battle alone.
There are plenty of solutions to help an IT administrator, but even with so many solutions they are still faced with unavoidable risks. Even if you were to install every security solution ever developed, you would not be mitigating every possible attack.
A hypothetical scenario?
Take this scenario. You have a secure system running all the best and latest tools, which makes it hard for any hacker to break in. The attacker wants to gain access to a particular system and to do so he needs to use the CEO’s account.
In our scenario, the CEO is using Google’s mail services for his email - not that far-fetched.
The attacker will need to gain access to the CEO’s Google mail without raising any suspicions. Access can be gained by tricking the CEO’s phone company to redirect calls to a number of the attacker’s choice. The attacker will then initiate the Gmail password recovery using the phone call option.
With the email credentials in hand, the attacker can now log in to the CEO’s account.
The next step would be to send an email from the CEO’s account to the support team asking for remote access to a server and a credentials-reset because something critical happened. Few would refuse or question a request from their CEO in a moment of crisis.
This may sound pretty far-fetched, and it’s true that for this scenario to work a lot of stars need to align perfectly - tricking the phone company, having knowledge of specific details, finding gullible IT admins and so on.
In fact this scenario has not played out in a single event. My emphasis here is on ‘single event’. Why? Because something similar happened, not once but in two events, affecting two very prominent people.
Matthew Prince, CEO at Cloudflare had his Gmail hijacked as I explained above, and it also happened to IT company HBGray when their system was compromised by someone using their CEO’s compromised Google email account to trick support into providing remote administrative access.
When you think about it, access was gained without the need to use hacks, compromise software, exploiting a vulnerability or by running any software at all.
All it took was human interaction and social engineering. No solution can ever protect your systems against that. These attacks happen and need to be dealt with.
What can an organisation do?
Staff awareness? It is not enough to protect your employees using technology; you need to give them the knowledge to identify and properly handle security risks.
Software measures sometimes give us a false sense of security. Unfortunately, some attacks are designed to target the human element in an organisation, and no security solution is 100 percent effective.
How many times do employees come across a website link that doesn’t look quite right and they click it anyway, probably out of curiosity and believing that the antivirus or web protection software installed will do the job?
Most of the time they will be protected but why should a risk be taken if there is no direct benefit? An employee’s actions should be regarded as another security layer, not as an extra risk layer. This is why cybersecurity awareness is paramount.
So when I’m asked if staff cybersecurity awareness is a waste of time, my answer is always the same - not at all.
From where I stand, it looks like a sound investment that will benefit your organisation’s security just as much as your best solutions.
By Emmanuel Carabott - Security Research Manager, GFI Software