Why security awareness campaigns fail

Controlled phishing attacks have far more impact.

Research and general public opinion about security campaigns and why they fail puts the problem down to a lack of organisational buy-in. They suggest that the company strategy is wrong, the executives aren’t bought into it, business and security goals aren’t aligned, or that policies haven’t been effective…

These reasons make logical sense but don’t really capture the ‘human’ element. Security awareness campaigns fail because they do not connect with your employees. Simply put, no one thinks they will be that stupid. There is a false confidence that these types of attacks happen to other organisations or other people, and the people who do fall foul of social engineering attacks must be idiots. Mustn’t they? Society often portrays the victim of these types of crime as incompetent. My experience is that these people are teased by colleagues who underneath it all are just pleased it didn’t happen to them. The truth is, mistakes do happen, occasionally people don’t stop and think, but no one is infallible to the types of sophisticated attacks that are unfortunately becoming ever more common.

The customer service flaw

Your staff are well-trained and keen to be of service – this is inherent in the way that we, as businesses, want our staff to behave. To anticipate the customer’s needs before they even know they have them is an important skill that all customer-facing staff develop over years of service. Most large organisations survive not only on the strength of their products but also on the services they provide along with them. To question a customer is almost unheard of; after all the customer is always right, right? Good customer service is a high value commodity to your organisation but it can also be a foot-hold for a malicious attacker.

What is at stake?

Security awareness campaigns based around endless PowerPoint slides or posters up in the bathrooms and kitchen of your office are passive advertising. These are boring ideas that do little to capture the interest of your employees. The all-too-common attempts at applying humour to the scenario only succeed in downplaying the seriousness of what this kind of breach can really do to an organisation. The outright disruption it can cause and the amount of money that can be lost can be catastrophic. This is also before considering the psychological and cultural affect it can have on your business. After all, if an email is spoofed to look like it has come from an internal email account, suddenly communication is no longer sacred. The culture you have worked so hard to create is eroded, as when a house has been burgled, the inhabitants can feel violated and trust is broken.

The best way to avoid this kind of disruption is to prevent it. After all, we already know that security awareness campaigns are at best a sticky plaster and at worst just a means of dumbing down the individuals or using humour to demean the victims of such attacks.

Security unawareness

If you downloaded this article, did you check first to see what type of file it was that you were downloading? Is this something you always do? If you are in the security industry, I hope the answer is yes, of course! Now, how many of your co-workers, friends and family do you think check? Would they even know what the letters after the dot mean?

In order for Security Awareness to work, two key things need to happen:

• Education
  Education is not the same as paranoia, although a healthy touch of paranoia is vital. Employees should learn to question anything that requires them to follow a link or open an attachment. Simple things like the difference between HTTP and HTTPS in a browser should be common knowledge within your organisation. From a business perspective, phishing attacks should also be covered in Disaster Recovery or Business Continuity plans, which should also be made available to employees.
• Awareness/Training
  This may seem trivial, after all it’s already in the name but actually, raising awareness is not an easy thing to do. Additionally, the timing is crucial. A poster on the wall in the kitchen while I make myself a cup of tea will have disappeared from my mind by the time I am back at my desk, trawling through a barrage of emails all requiring my immediate attention. Awareness is pretty much at zero. I receive an email telling me my email log-in details are soon to expire, I click a link, enter in my details and think nothing of it when it errors. Little do I realise that I have just compromised my account – and if something does seem iffy, I am too embarrassed to say anything.

There are several key areas which need to be addressed under the umbrella of “Security Awareness Training”. Some, like clear desk and data handling policies, should be part of internal processes. Others, such as awareness of phishing attacks, are harder to educate people on as they are not necessarily thinking about the training they have been on, when they are reading through their emails. Timing is the issue in this instance. It is vital to incorporate security into your businesses working practices so that it becomes part of business as usual.

Security awareness – a cultural shift

Campaigns, like projects, by definition come to an end. Security Awareness should be integrated into the business so that it becomes part of business as usual rather than something that is registered and then forgotten about. The best way to educate people is to get them to think. The world of advertising has multimillion pound budgets and even then how many really stick with you? Businesses simply cannot afford the luxury of marketing the idea of phishing attacks: most do not have the budget for it, and the chances of it succeeding even in the short term are not very high.

It is widely known within the security industry that the human element is more often than not one of the weakest links. The mentality of upgrading to the latest version or applying a patch is a common and logical way to view problems – and the IT community is full of very logical and intelligent people. The human element or the softer side of IT security, however, can remain a bit of a mystery. In order for security to be a consideration, it needs to become part of the social norm within your organisation. There needs to be a culture that does not try to blame the individuals who make mistakes, but instead questions how the mistake happened and looks to provide controls and mechanisms to avoid a re-occurrence.

Learning from the past…

Understanding where your organisation is susceptible to the types of attacks is the first step. If your business records incidents, then this will be a good place to start. In learning from the past, you can begin to shape the future. If, for example, the majority of incidents surround viruses that have been installed onto your users’ machines, then a review of your anti-virus software or your standard build would be advised. It is also worth reviewing how these incidents occurred. Were they through emails sent to an employee who unwittingly downloaded a payload?

In the same way that you test your business’s internal response to business continuity, so you should look to test your employees’ reactions to phishing-style attacks. Phishing is an area where many businesses are susceptible to an attack, so controlled phishing attacks can be a great tool. They can not only highlight potential incidents (broken down by department or location) to the board, but they can also inform the individuals that clicked on the forged link that they were duped, creating greater sensitivity and security awareness around suspicious emails.

There are a number of approaches that, when combined, can dramatically cut your employees’ susceptibility to phishing attacks:

• Perform regular, controlled phishing attacks to maintain a heightened awareness of such dangers, thus reducing the likelihood of employees clicking suspicious links within emails. When performed regularly, such assessments train employees to be suspicious of all unexpected emails containing links to third-party websites.
• Perform targeted training after assessments. Based on the data from each controlled phishing attack, look to identify trends in susceptibility within the organisation. Use this data to target the most susceptible areas of the business with security training to maximise the effectiveness of your training budgets.
• Review the internal response after each assessment. Identify key areas of weakness that require improvement. Did the initial attack get spotted by the security team? If not, identify the reason for this and address it through the introduction/modification of policies and procedures, and investigate technical solutions to support the identification of attacks, such as the implementation of IDS, IPS or Email Monitoring Solutions.

Summary

Individuals who fall foul of social engineering attacks should not be considered as the exception or in any way unique; they were most likely just unlucky. For security awareness to be successful, it needs to be ingrained into the culture of your organisation. Without the appropriate context, the security messages from posters or presentations are lost. A blame-free culture should be fostered so that your employees can alert you if they feel that a mistake has been made. You can learn from your own mistakes – incidents can and should be recorded – and these can then provide you with an insight into the types of security issues facing your organisation.

Education and awareness of security, successfully adopted throughout your organisation, can have a measurably positive impact. From a return on investment perspective, controlled phishing attacks can see the number of employees susceptible to these attacks decrease by 25% or more per assessment. Most organisations should see overall susceptibility reduction of at least 90% after a year of quarterly controlled phishing assessments.