Since humans are the number one target for cyber attacks, organizations need to implement strategies that teach users how to identify and avoid risks. Security awareness may well be the most important role of cybersecurity teams.
That was the message delivered by Theresa Frommel, acting deputy CISO for the State of Missouri, at a breakout session of the (ISC)2’s Congress 2018, taking place this week in New Orleans. Repeating a suggestion from an attendee at her session, Frommel said it makes sense that users need to be “patched,” much like software systems have to be patched regularly to remove security vulnerabilities.
Humans are the primary target for several reasons, including thinking too fast, causing us to make mistakes such as clicking on infected URLs and attachments. In many cases, if users looked at URLs or attachments more closely, they may decide not to click. Users also fall for phishing schemes when receiving emails that appear to be coming from a known recipient but that are fake. Thinking slower, in a more rational, logical and methodical, helps avoid these traps.
About 90% successful attacks start with phishing. Frommel said she didn’t believe that statistic when she first came across it, but after doing some research, realized it is true. “I was wrong,” she said.
Phishing is a growing problem, with new threats and phishing websites popping up daily. The number of detected phishes increased 46% during the first quarter of 2018, while phishing websites jumped from 60,000 in January to 113,000 in March. “The number of websites we are finding now is significantly increasing everyday. Where we used to get two or three sites, we might get 25.”
These statistics underline the acute need for addressing human behavior. “How do we mitigate human risk? We have to make our users another security control, not another security problem. We can change human behavior. Phishing is no different than any other swindle,” If children can be taught about stranger danger, and adults about con schemes, computer users can learn to avoid phishing, she said.
Ongoing, interactive awareness programs are the most effective way to address phishing and other threats targeting users, Frommel said. Her agency has implemented a program for 40,000 state workers with produced positive results. Results are closely tracked to determine how effective the programs educational content is refreshed periodically so it doesn’t become stale.
Users are tested every four to six weeks with phishing assessments, often with simulated phishes copied from real ones caught by the state’s malware filters. Frommel’s department also deploys monthly lessons lasting 10 to 15 minutes each with interactive components to ensure users aren’t ignoring them. Longer lessons aren’t as effective.
Frommel said the program’s results show that humans can be trained to avoid cybersecurity pitfalls, so long as you use the right approach to awareness raising.