What comes to mind when you think about cybersecurity? You may be thinking next-gen anti-virus, next-gen firewalls, Security Information and Event Monitoring services, Security Operations Centers, encryption, SPAM protection, persistent threat monitoring, application whitelisting, DNS-layer protection, and robust backups. If you’ve implemented all of the above, you may think you have covered all your bases; you would be wrong. While all of these risk mitigating solutions are high-level, technical, glamorous, and exciting, you may be forgetting about the roots of your organization: your users. Your users, your employees, your team, your family; they are at the root and are the primary targets. Your users are the weakest link in your information security chain!
Over time, anti-virus platforms realized that simply updating definitions within an ever-growing library wasn’t feasible as cybercrime became more and more prevalent and lucrative. Virus signatures quickly become stale as the viruses to be detected are constantly being changed through means such as mutation (the hackers avoiding detection by constantly changing the malware). Eventually, security researchers turned to asking themselves the question “What is the root cause?” which allowed them to develop and transform their approach to malware detection. For example, if you look at the root of all ransomware to find a common denominator, you will find that BEHAVIOR is what remains a constant. Every iteration of ransomware in the wild has at least one thing in common; they encrypt files – you can’t encrypt files without the BEHAVIOR of file encryption. In other words, in order for ransomware to encrypt files, it must take the action of encrypting files. This is a BEHAVIOR that simply can’t change. With behavior in mind, behavioral analysis methods were introduced and developed which now better serves the ability to detect and take action on malware. Thankfully, the power of behavior does not only apply to anti-virus.
If the weakest link in your information security chain is your users, how can we take the same approach that anti-virus platforms did in identifying behavior as the means for a robust solution? In the example of a phishing or social engineering attack, you can easily identify the undesired behavior of a user that falls victim. The behavior was the user either clicking on a link, providing sensitive information, clicking on an attachment, replying, or following unauthorized instructions. We have identified the behavior but now we need to change that behavior. Building a culture of security AWARENESS is key in changing dangerous behavior of your users.
The solution is to implement a robust security and awareness training campaign that will teach your end users about red flags and how mold them into being hyperaware when it comes to information security. This is important because it will serve to shape your users’ behaviors when it comes to interacting with emails and with information security in general, not to mention you’ll be able to check a couple more boxes on your cyber insurance applications/attestations that may yield an accepted policy or even a better rate on said policy. You may be thinking that your advanced spam protection solution is protecting you from this attack vector or that your internal company policies protect you against other forms of social engineering. While it’s always recommended to have a solid mail protection solution in place, it will never catch 100% of phishing attempts and will never replace the effectiveness of having users that are aware and vigilant. Likewise, while a company policy is encouraged it does nothing to affect a user’s behavior proactively/continuously when encountering social engineering tactics. As part of the security and awareness training, you should also implement simulated phishing campaigns. Phishing simulation is effectively a means to put your security awareness training to the test. It allows you to identify users that may require additional training or that may require a one-on-one conversation to help them blossom into a threat identifying champion. According to KnowBe4’s 2022 Phishing by Industry Benchmarking Report, “…the human layer continues to be the most desirable attack vector for cybercriminals” while “…32.4% of untrained end users will fail a phishing test.” That’s just shy of one third of all users that require behavioral changes through security awareness training! Strengthen your information security chain through implementing this critical layer of cybersecurity.