Implement Attack Awareness Training for All Employees
Begin with deep-dive training on how cyber-attacks work. Few employees, if any, actually understand the difference between a virus, worm, Trojan, exploit, vulnerability, phishing, smishing, drive by, malvertising, adware, spyware, and ransomware attacks. Educating employees about how cyber-attacks work builds awareness to the constant risk they face from cyber threat actors. If the training is done right, using real-world examples and hands-on scenarios, the likely results would be better educated employees and team building as well. Two benefits for the price of one.
Second, include training on the motivations and tactics attackers utilise and what they are likely to target. Most attackers are motivated by money and understand that gaining access to sensitive data is often like hitting the mother lode. Employees need to recognise the value of sensitive data and understand that it must be protected at all costs. One simple click is all that is needed to compromise a system, gain access, and move laterally in an organisation. Your click may have opened up the passageway for entry into your network. Employees are often the catalyst that results in a data breach.
Implement a No-Punishment Policy
Many cyber-attacks go unnoticed because employees are less than motivated to report suspicious activity on their computers, accounts, and data. Often an employee clicks, something strange happens on their computer, and they’re afraid to report it due to a host of different reasons. Fear of feeling imprudent, the backlash of public ridicule, the violation of Internet usage policies, and other negative outcomes thwarts the sharing of important intelligence. Institute policies that actually reward employees for coming forward, reporting questionable activity, grabbing screen shots, and sharing the steps that were taken during a suspected hack. This valuable intelligence will help security and forensics teams in their investigations, as well as limit the potential damage of the hack.
Monitoring Your Results
Monitoring employees does not often provide the intended result. People try to enforce policies, but they end up looking like the computer police. No one likes to be monitored while online. Instead, set up a test “attack process” with different scenarios. Phish your own employees to see if they’ll click. Tell them ahead of time to expect an attack, and remedial training will be required if they fall for one. If they don’t fall for it, and report the attempt appropriately, publicly reward them for being prudent. Soon you will have employees that are part of the solution, and no longer part of the problem.
About the Author:
Stephen Gates is a key research intelligence analyst with NSFOCUS IBD. He has been instrumental in solving the DDoS problem for service providers, hosting providers, and enterprises in North America and abroad. Steve has more than 25 years of computer networking and security experience with an extensive background in the deployment and implementation of next-generation security solutions. Steve is a recognised Subject Matter Expert on DDoS attack tools and methodologies, including next-generation defence approaches.