Being in the financial services sector, we hear the term 'security' a lot. We are required by regulators to have policies and practices in place to protect the data in which we are entrusted. The question we must ask ourselves is how we allocate the budget we have to defend ourselves against an adversary that has better resources and greater funds then we do. The US government spends billions of dollars on security, and we hear stories of their data breaches on a regular basis. If scammers can breach even their highest security level, how do we do it with budgets that are a fraction of theirs?
As a standard practice, we (should) already have hardened perimeters in place, layers of security to make the data harder to reach, and protection on the endpoints. However, our adversaries are getting around all of that by targeting the weakest link in the entire security chain. That link is our employees. The best security can be laid to waste by a simple click on a cleverly crafted, phished email to an employee who is in a hurry or does not understand what to look for before opening.
Stay Up to Date with Training
It seems we don’t allocate enough of the budget for the one thing that might help us the most, training and testing our employees to ensure the correct awareness and procedures are in place. Employees need to be better equipped to look at incoming emails and be able to identify signs that the email may be something other then what it appears. There are many kinds of companies that offer services and technical articles on the web that can be used to provide this training.
Every Employee is a target
The important thing is that ALL employees be trained. Scammers are targeting executive level staff as well as entry-level positions, making every employee vulnerable. This training can be in a formal setting like a 'lunch and learn' or be computer-based for employees that might be remote. The convenience of computer-based training is you can get immediate results on how well the employees comprehend the material. The key to a successful training program is to test the employees on what they have learned to ensure the transfer of knowledge has occurred.
Perform Post Cyber Security Training checks
After a few rounds of training with employees, you should hire a security company to send out phishing type emails and gather the results to determine where more training might be needed. Ensure your security company uses various types of phishing emails during the tests.
Some of these might include:
- Executive emails to middle management with file attachments on budgets or expenses
- Sales Director to sales staff on potential new prospects
- Middle managers to staff on various housekeeping duties
The key is to truly test your employees; making it easy to show you fulfilled compliance requirements does not address the extent of the issue. If through testing you can determine that your employees can spot phished emails and not respond to them, and they notify your IT or security departments as policies require, then you know your employees are well trained. A more realistic result however, will be that some employees will need additional training.
By having these types of programs in place, and continuously updating your employees on various phishing attacks, you can target the weakest link and allocate your expenditures appropriately within the information security program, getting the most bang for your limited budgets.