PITTSBURGH, PA--(Marketwired - July 13, 2016) - When it comes to security awareness and training, the primary focus is on managing end-user risk. And rightfully so, says Wombat Security, a leading provider of cybersecurity education products and programs, who indicates that uneducated, unprepared end users are more likely to exhibit risky behaviors than those who have been trained to recognize and respond to threats like phishing emails, business email compromise (BEC), and ransomware attacks.
The problem, they say, is the employee population that some organizations target for end-user education. "We see a lot of organizations that take a top-down, organization-wide approach to security awareness training," said Amy Baker, Wombat's Vice President of Marketing. "Unfortunately, we also see organizations excluding certain people — like executives, high-level managers, or IT employees — from their programs."
Baker said it's not unusual for training managers to focus their efforts on "lower-level" employees, or on select departments instead of the entire organization. This approach effectively excuses certain departments and job roles from cybersecurity education under the assumption that technical skills and/or levels of organizational investment and access render some employees impervious to social engineering attacks. Other times, groups are excluded for the simple reason that program managers don't feel comfortable suggesting to their peers and superiors that there are topics they don't know enough about.
But this is a risky proposition, Baker cautioned. "Cyber criminals are only too eager to exploit the upper rungs of the corporate ladder. We feel the assumptions, excuses, and exclusions that are happening within some organizations are contributing to the rash of successful business email compromise (BEC) attacks that have extracted W-2 data and/or caused significant losses due to wire transfer fraud," Baker said.
The interesting side effect to some of these attacks, she said, is that instead of a junior employee compromising top-level people and systems, it's the complete opposite, with a senior staff member turning over sensitive tax, healthcare, or employment data and creating major headaches for the entire organization.
Building a 'Culture of Security' Helps Reduce Risk, Wombat Says
"The customers we've seen have the most success — and the best results — with their security awareness training programs are those whose executives participate in cybersecurity initiatives and encourage their employees to do the same," said Baker.
A good example of this can be seen in Wombat's most recent case study, which showcases the results one of its utility customers is experiencing with its anti-phishing training efforts. (Since 2013, the utility has seen a more than 67% reduction in susceptibility to phishing attacks.) The program is delivered and discussed organization wide, and the utility has established a security advocate program that boasts more than 700 members in a variety of job functions and roles.
Wombat feels the most important factor of the utility's program is that all employees participate — including those in high-level positions. In discussing the results with Wombat, the utility's security awareness training manager emphasized the value of executive buy-in, saying, "Our leaders really do support the cybersecurity team and this program. And that resonates with our employees, because they know if they are hearing it from the top, they need to take it seriously."
Baker says the top-level buy-in at the utility isn't just lip service. "The training manager and her team used the customization functions available within our ThreatSim® simulated phishing attacks to create a whaling campaign that specifically targeted executives and directors — with their approval," said Baker. "Those mock attacks showed how social engineers can use publicly available content (from Google searches and LinkedIn profiles, among other sources) to create highly personal and deceptive spear phishing emails."
The utility's training manager also spoke of the value of this BEC-like simulation, saying, "We thought and acted the way that attackers are thinking and acting every day. It was a valuable lesson for our executives to learn, and a very effective way for them to learn it."
Organizations Should Train Every Potential Target
"It's a simple fact that anyone within an organization can be a target, and there are any number of ways they can be victimized," says Baker. "Though entry-level and junior staff are a convenient excuse for bad behaviors, the access and authority granted to senior personnel mean that a higher-level breach can be far more costly to an organization, its customers, and its employees."
Wombat stresses that the rise of BEC attacks and their damaging ripple effects should not be ignored. They say that the assumptions that certain employees "know better" while others don't must be abandoned — particularly for those organizations that have not yet implemented an effective cyber security education program.
Want to learn more? Wombat CTO Trevor Hawthorn and Matt Ahrens, VP of Incident Response for The Crypsis Group, will host a joint webinar, "The Rise of Ransomware," on Thursday, July 14 from 1:00 to 2:00 p.m. EDT. Register to join the webinar in real time and/or to receive the recording following the event.