Companies can improve cybersecurity posture with better security training

Companies can improve cybersecurity posture with better security training
The FBI reports that BECs cost organizations nearly $2.4 billion last year. Today’s columnist Ian Pratt of HP says that the best security programs combine endpoint technology, zero-trust principles, and strong security awareness programs. (Credit: Getty Images)

The FBI discovered that Business Email Compromises (BEC) last year cost organizations nearly $2.4 billion. Phishing and its variants were the most prolific type of cybercrime, with almost 324,000 reports. These phishing and BEC incidents have one thing in common: a focus on employees, the point at which corporate cybersecurity becomes most exposed.

Threat actors will continue to target users because they see them as the weakest link. But with the right communication and training, users can help improve an organization’s overall cybersecurity posture. As we move into the era of hybrid work, there is an increasing burden on employees to distinguish the legitimate from the malicious. As the attack surface expands and threats become more sophisticated, there is a risk that organizations will not provide the necessary security training and support for their employees.

Homeworkers under attack

Home work has become the norm. However, it comes with an additional risk. Our research shows that about half of IT decision makers had seen evidence of compromised personal devices being used to access company data in the past year. The bad guys have stepped up social engineering attacks to gain an advantage, with more than half (54%) of IT leaders reporting an increase in phishing.

In addressing these trends, we must inspire, educate and mobilize employees to understand the important role they play in defending the business. Instead, research shows that many younger employees (ages 18-24) feel restricted by security policy and nearly a third (31%) have tried to get around it. To make matters worse, when the workforce switched to working from home, almost two-thirds of the workers (64%) received no additional training on how to secure home networks.

This comes at a time when cybercriminals are working hard to find new ways to trick users. Attackers now use automation to include corporate logos and email signatures in phishing emails, making them look more realistic and harder to detect. There are also many extended supply chain providers that work with a typical organization, making it more difficult for employees to remember which subcontractor your company is using for which task.

Domains used in attacks often have typos (i.e. they register domain names that are a slight variation of a particular brand name) to make them appear more convincing. And the introduction of Internationalized Domain Names (IDNs) has opened up even more opportunities for deception, with characters that at first glance appear legitimate but are actually replaced by non-Latin scripts. That can make it relatively easy to register a very convincing phishing domain.

Then there are even more sophisticated techniques, such as thread hijacking. Here, users’ inboxes are hijacked through phishing attacks, and threat actors use automation scripts to filter existing conversations in the victim’s email account to identify privileged users. From here, they can take a legitimate document, for example, an Excel invoice or budget tracker, add malware to it, and resend it. They could also use this technique to target executives and sysadmins who have sent and respond to their emails with malicious content.

A new approach to employee engagement

It is extremely challenging for a user to spot such a well-disguised phishing email, which is why security teams need a dual approach of comprehensive training along with state-of-the-art security hardware and software that can prevent, detect, and recover from attacks. . A new look at employee engagement is required.

Start by opening the two-way communication. IT needs to listen to users about their challenges, but also explain why certain training or security policies are needed. If employees understand why, it will help build a collaborative partnership and embed security in the DNA of an organization. Everyone will start to take responsibility, not just YOU.

Comprehensive security education and awareness training programs are a must. First, teach employees what to look for and how to identify suspicious emails. Show them how to go beyond looking at the name of who sent an email and instead look at the domain name of the email address. Educate them on the structure of domain names and how to read them from right to left to identify inconsistencies. Also, teach staff how to spot typos in domain names and URLs.

But with thread hijacking on the rise, users should also be aware of content from trusted sources. When they receive an email from someone internal or from an external company they have been working with, they should consider whether it is a message they expected to receive. Is the email relevant in the context of the email chain? Email attachments opening blank or not appearing as expected? If so, then something could be wrong.

Phishing simulations used in training should also reflect this, using current campaigns and real-world social engineering techniques to show users why it’s hard to detect attacks. Training should also guide users on what to do after the click, explaining how and to whom to report incidents and not be afraid to do so; of office workers who clicked or almost clicked on malicious content, 70% did not report it to you. Without notifying IT, there is a much higher risk of damage.

Layered defenses

Organizations should provide third-party vendors with official corporate emails to make it easier for employees to tell if a vendor is legitimate or not. Combine this with the effective deployment of DMARC protocols to authenticate emails and fight against BEC.

Education must also work hand-in-hand with endpoint security. Thread hijacking techniques are often very difficult to detect even for well-trained users. And that’s why endpoint security technologies like microvirtualization can help. Based on the zero-trust principle of strong isolation, microvirtualization ensures that risky tasks, such as clicking links or opening malicious attachments, run on a disposable virtual machine separate from underlying systems. This traps attackers, ensuring that they cannot access sensitive data.

Like workplace health and safety, cybersecurity must function as a collective responsibility. Everyone has to do their part. This means providing up-to-date cybersecurity training and adopting layered endpoint defenses. In the era of hybrid work, nothing less will do.

Ian Pratt, Global Director of Security, HP

Leave a Comment