What do Shakespearean tragedies and security issues have in common? Both are overwhelmingly the result of human error. Othello is one Shakespeare greatest plays, and Iago is one of literature’s first social engineers.
The hubris of Othello and the cruelty of Iago transcend time and generation because human beings are flawed. If this is true, then regardless of how impenetrable they believe their hardware and software programs to be, CSOs and CISOs can only do so much to build barriers around their organizations. In the end the security of their organizations are not contingent upon the strength of their hardware but at the mercy of hackers and the end users.
Will they believe their corporations are impervious to threats because they’ve been lucky up until now, or will they continue to build the layers of defense that will help to minimize the risk of being compromised?
Amanda Berlin, network security engineer at Hurricane Labs, said that the greatest weakness for any organization large or small, private or public is people. “People in general want to make customers and employees happy, so they trust the person on the other end of the phone or sending the email,” Berlin said.
When looking at the threats that have made the security of corporations most vulnerable over the past few years, from social networking to social engineering, the common denominator is the end user.
Marie White, President and CEO of Security Mentor
“Employees continue to be the biggest risk [for corporations]. They are the most frequent cause of mistakes and have the biggest consequences,” said Marie White, President and CEO of Security Mentor.
As hackers become more sophisticated, the risks become greater that end users will fall victim to their scams.
“There are new risks in clouds. Phishing has been tied back to major data breaches, and it’s not just email. Social media phishers are getting much more sophisticated,” White said.
From password security to information sharing to other seemingly innocent acts that are making accounts vulnerable, “people are putting too much information out there, and it’s very easy to social engineer someone when you know a lot about them,” said Lesley Carhart, security incident response lead at Motorola Solutions.
Though hackers have somewhat diverted from using social media as a means of infiltrating organizations, the cumulative data available on sites like LinkedIn makes accessing information really easy for those with malicious intents.
Hackers don’t need to be savvy to search through online profiles. Carhart said, “they can scan through information and see what people have on their resumes, where they worked, what kind of firewalls that company has, what security teams people worked on. It’s easy to hack using open source.”
Whether the intent of the hacker is for financial, political, or some other gain, “malware can be encrypted in a way that without back up can result in lost documents, lost resources, time, and money which can effect companies in similar magnitudes [as a financial breach].”
During April’s RSA Conference in San Francisco Thom Langford explained that ‘plugging in’ and ‘clicking on’ still happens despite posters and warnings and an annual CBT program because human beings are entrenched in their behaviors.
“They know it’s bad to plug a random USB stick into their laptops, but they will still do it. It’s a habit,” Langford said. Marketing a corporation’s values and story will create a positive experience and engage end users, Langford said.
So how do corporations develop awareness programs that fit into both their organizations and their budgets? There is no panacea because everyone in the equation from the executives to housekeeping has different values.
Breach attacks are not a matter of behavior and habit so much as a question of what people value. Increasingly, end users value convenience over security.
“That’s the trade off some employees are willing to make, they value convenience over security, so they are choosing between security awareness vs. open source,” said Carhart.
A robber values your wallet, a point made only to prove that not everyone has good values—remember Iago, who valued deception over loyalty.
Organizations have to know what they are securing, and “the barrier of an awareness program comes from people knowing what’s going on. Employees are the first line of defense,” said Carhart.
Regardless of the size of their organization, companies employ Millennials to Baby Boomers and the generations in between. That’s a vast spectrum of people to educate, so “they have to evaluate the environment. Who are you securing?” Carhart said.
Once they know, they can be more innovative in building the layers of defense.
“The major rule of awareness programs is being creative and innovative,” Carhart said, “and the strongest security requires defense in depth, which includes humans, devices, and policies—the technical plus human control.”
As with all things in life, there is little chance of perfection, so it’s important that security teams manage their expectations.
“The expectation of 100% chance of success doesn’t exist anywhere else,” said White, who also talked about the need for defense in depth. Yes, strong hardware security is a part of protecting against breaches, but White added, “hardware and software can’t address the changing tides of hacker intelligence.”
Trying to reach everybody across all levels of expertise demands that employers “recognize and understand that people are coming from different places. Millennials expect engaging and interactive tools which helps training be much more effective for them, so it’s about knowing what to put in their programs,” White said.
Companies need to assess what they are doing now with the understanding that a security breach either has or will happen, and assessing means taking an internal scan by asking: “What are their current issues? What are they doing now? Who can help them?” White suggested.
“Hackers are extremely knowledgeable, and if hackers choose to get in, they can. Many organizations need to do a lot with hardware and software and with how end users can mitigate what can happen. Anything they can do to minimize their risks.”
If attacks are imminent and no organization is impenetrable, then why should organizations devote time and resources to developing awareness programs at all?
Berlin explained that in a phishing experiment she did, she got everyone from housekeeping to CEOs to ITs to give their password. Berlin said that in the security awareness program she put in place “over the last 10 months, which consisted of easy emails with plain text and Gmail addresses,” she had a more than 40% success rate when she asked for usernames and passwords.
“Six months later, that dropped down to zero results and emails received were reported and blocked within 10 minutes.”
In designing an awareness plan, organizations should know that there is never a one size fits all, nor does a good awareness program need to cost a lot of money. (Also: No money, no problem: Building a security awareness program on a shoestring budget.)
“All of the principles stay the same,” said Berlin. “Teach users hands on what looks suspicious, give them the ability to report, have good spam filtering, good management, two factor authentication, train users with something that will stick,” Berlin said.
While vendors are expensive, “an external pen test to prove what you’re doing is successful is a good metric,” she added.
Zurkus is a freelance writer based in Massachusetts.