The Importance of Internal Security Awareness Training Programmes

The InfoSec Consulting Series #24

By Jay Pope

Cybercrime is a now a daily occurrence and a comprehensive security training & awareness programme is vital to help protect your organisation from cyber-attacks. Whilst the most obvious threats to a business tend to be from external sources, countering insider threats is also a very important part of cybersecurity. According to the 2017 US cybercrime survey, roughly 50% of organisations experienced at least one incident per year that was categorised as a ‘malicious insider incident’. The types of possible threats from insiders include IP theft, sabotage, fraud, and espionage. Whilst those are deliberate acts, there is also a significant risk of unintentional cybersecurity incidents that can be the result of carelessness, lack of training, or ignorance.

Employees need to be aware that insider incidents can and do occur and may have severe consequences. Malicious insiders don’t fit a standard profile and their technical skills vary significantly. Countering insider threats is key to protecting your business.  Security may not always be a priority, especially among delivery focused R&D Staff who have targets and deadlines to meet and budgets to stick to. But if you point out that all their research data could be stolen by cybercriminals, they may well start to take cybersecurity more seriously.

In addition to hacktivists, competitors and blackmailers, vulnerabilities can be exploited by corporate espionage threat actors. The information obtained can be used for blackmail or can give insider knowledge in terms of finances including potential takeover/merger discussions. Espionage threat actors have used spear phishing, watering holes and malicious software downloads to mask the initial infection. Once inside the network, they can then use custom backdoor malware for exfiltration of data and lateral movement. Known and unknown vulnerabilities in popular software are also often exploited by corporate espionage threat actors.  There is also the threat from state actors working in behalf of government or politicians/political parties.

How Effective Is Security Awareness Training?

The effectiveness of security awareness training is something that is the subject of some debate among professionals. What is not open for debate is that keeping employees educated and up-to-date about cybersecurity is vital, given the sophistication and volatility of today’s threat landscape.

Employees are still the first line of defence when it comes to reducing risk and a well-trained, informed workforce is a great asset. The effectiveness of training programs can even vary by location, with those working at head office more likely to follow policies and security practices than those working remotely. Perhaps this is due to the proximity of the IT department? Enforcement is easier for companies with single premises than for larger organisations with many branches or offices.

According to research, IT employees are more likely to take part in risky behaviours than non-IT employees.  One of the primary types of social engineering, phishing, uses emails or malicious websites to obtain personal information by posing as an authentic and trustworthy organisation. The emails can be very convincing – with even experts often unable to spot a fake. Verizon reports that phishing was implicated in 25% of all data breaches. They also report that anti-phishing training programs result in a significantly positive return on investment; the average-performing program resulting in a 37-fold ROI.

The Best Way To Train

Employees may view security as a hindrance to their productivity, so it is important to try and show that it can actually boost productivity by reducing the likelihood of downtime. It is believed that a light-hearted, interactive learning environment is optimum for this type of training. Providing the training in small, digestible units, followed by testing and regular updates is also thought to boost effectiveness.

Awareness training should include how to identify external and insider threats, what to do when they suspect something suspicious and to whom to report such instances. On top of this, there should be clear guidelines in terms of best practices as to how best protect themselves and their organisation.

Tips to Mitigate the Risk of IP Theft/Corporate Espionage

• Training – phishing and general online security training should be provided to every employee. Best practices that should be followed include limiting online activity and not opening unsolicited attachments.
• Security/access permissions – to protect from malicious software downloads, employees should only have permissions to download applications from legitimate sites. Access restrictions should also be placed on any suppliers and third parties.
• Password control management – strong password security should be encouraged across the organisation, including ensuring that passwords are not reused or duplicated across accounts. Multi-factor authentication should be used where possible.
• Network isolation/segmentation – network isolation and segmentation should be used to mitigate risk.
• Patch control -patches should be applied as they are released to protect from known security vulnerabilities.

Does Your Organisation Need Top Cyber Security Consultants?

We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.