Gone phishing: what’s the best way to educate staff on security?

By Dr. Guy Bunker @guybunker

Accessing laptop

How do you work out the weakest link in your team? Who is that employee most likely to fall prey to the socially engineered scams that are making billions of pounds for cyber criminals on the black market?

Pertinent questions in the aftermath of the recent Kaspersky Lab report that revealed more than 100 banks, financial institutions and e-payment systems in over 30 countries had been targeted by phishing attacks that infected bank employees' computers with malware, allowing the perpetrators to jump into internal networks and inflate account balances before pocketing the extra funds.

One novel approach to address this risk, reported last week, is being taken by social media giant Twitter which is giving their workers a pop quiz, testing security by sending fake phishing emails in order to see who takes the bait.

The approach has some obvious benefits, particularly around staff education and awareness of the vital role they must play in keeping critical information secure inside their organization. However, it sometimes backfires, and is then seen as ‘the management’ trying to catch out the employees – with various ramifications that can then ensue. Often when quizzed, most employees are found to be overly confident in their ability to spot a scam; so much so that simple good practise advice won’t have much impact on them. It’s for this reason that a more real-world approach is needed, one which mimics social engineering attacks. From a social engineering perspective, this doesn’t just have to cover phishing emails, but can also look at some of the physical aspects, from shoulder surfing and tailgating through to ‘infiltrating’ the cleaning team and plugging in USB keyboard loggers to see if anyone notices.

There are a number of companies who can offer phishing exercises and ‘physical’ penetration testing, but how do you communicate to the staff around critical information and its protection in a practical and pragmatic manner? Given that most information breaches are inadvertent, it really needs a softer approach. The answer lies in technology (once more), where the solution not only prevents the information from leaking out, but also provides feedback to the sender that they have violated policy. Our content-aware adaptive DLP suite can do just this. The policy can be set to send automated notifications to the user who would have leaked critical information to tell them that (a) the information is safe and (b) that they should change their practices. Of course, while it is useful for the individual to know, there also needs to be some other checks, and so the policy can also be used to inform their manager, or someone else, for example HR – who can then look across the organization to see if there is a need for and education or awareness campaign.

Combining educational reinforcement (aka feedback!) with a robust technological safety net ensures the business stays safe without the use of the somewhat sneaky, even underhanded approach of trying to catch your staff out - a tactic that could leave some staff members feeling they have been conned or made to look stupid, even if they recognise their mistakes.

“If it ain’t broke, don’t fix it”, but if it is broken then regular, friendly and informative nudges in the right direction is often a better option than one short sharp shock.