• No results found

User Education & Awareness

N/A
N/A
Info
Download
Protected

Academic year: 2022

Share "User Education & Awareness"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

Users are at the centre of the vast majority of successful cyber-attacks and

User

Education

& Awareness

(2)

Introduction:

Exploiting Weaknesses Among Your Users

At the centre of the vast majority of successful cyber- attacks is a user. Someone who either knowingly, or inadvertently, gives a would-be attacker a foothold within your organisation, opening the door for a compromise to occur.

Users therefore have a critical role to play in your organisation’s security.

It’s essential that your security policy and technologies enable your users to carry out their jobs effectively, whilst contributing to a secure environment. This can be supported by a regular, concise and engaging security awareness programme, delivering security knowledge and engendering a security conscious culture within your organisation.

A Wolf

In Sheep’s Clothing

Unsurprisingly, the most common way in which users are exploited by cyber criminals is through social engineering, delivered by email.

This method involves a cyber attacker constructing a fake email which is sent to a user to lure them into performing an action. When the user performs the action, a foothold is created for the attacker. Actions include opening an email attachment that contains malicious code (‘file-based’ attack), or clicking on a link to a malicious website (‘file-less’ attack).

In our cloud-based world in which e-commerce retailers and online banks offer frictionless user experience to increase conversion and task completion, it now feels completely natural to users to click on links and be directed to web browsers, where they are then required to enter credentials.

It is therefore becoming increasingly challenging to combat ‘file-less’ attacks, which prey on users’ sense of ‘normal’ by mimicking a common, second-nature process which involves little user thought.

(3)

Technology:

Achieving A False Sense Of Security

Many organisations invest heavily in several security technologies, such as anti-virus and gateways, to help protect them against attacks by cyber criminals.

These tools undoubtedly do a lot to help protect organisations from known malicious artefacts, email addresses and websites, but the exponential rate of development by attackers of ever more sophisticated and targeted attacks, makes full detection difficult and sometimes impossible.

With nearly 60% of all global email traffic being made up of spam or malicious email, it is no wonder that some slip through the net of these technologies. In the SANS 2017 Threat Landscape survey, 74% of the reported cyber-threats which compromised systems were delivered by an e-mail attachment or link.

Technology, even with improvements engendered by advancements in AI and machine learning, can only defend against threats which are known or follow a recognisable pattern or trend, but the threat

A Flawed Education

The stale approach of providing security education for new employees at a time when they are overwhelmed with a deluge of information, supported only by a tedious annual ‘refresher’, is widely understood to be unsuccessful and frustrating for employees. The fact that users continue to click on links, enter credentials and open malicious attachments is testament to the ineffectiveness of this approach.

That said, a robust security awareness briefing is important and enables expectation setting from the outset, particularly in relation to user responsibilities.

environment is dynamic and rapidly shifting, with security technology fighting a constant battle to keep up.

So a key component of defence against cyber-attacks is having a cyber aware organisation. This means achieving organisational vigilance, by preparing people for attacks and how to recognise them. Your users could become the best detection tool your organisation has against real threats.

(4)

A Fresh Look

At User Education &

Awareness

Nearly all organisations are investing in user security education and awareness. But almost 60% acknowledge that they need to do more.

We must be more creative in our approach to providing cyber security education, and it makes sense to actively test the success of any education programme to measure the ongoing effectiveness of the content and delivery methods.

The best approach to delivering cyber security education is by providing sharp, focused and relevant information to your users.

The content must be delivered at regular intervals to maintain interest, embedding cyber awareness so it becomes habitual for your employees, not just in the workplace, but also at home. The information must be understandable, actionable and easily digestible to ensure your users;

The Littlefish User Security Education and Awareness service provides this content directly to your end users on a monthly basis, using engaging design and content to help bring the real threats to life.

The content can be adapted to focus on industry- specific threats or align with internal security policies if required. It supports the guidance from NCSC on using education and awareness as part of their ‘10 Steps To Cyber Security’, particularly in relation to maintaining and monitoring an awareness programme for employees.

Regular tests of samples of users are conducted to test effectiveness of the content and delivery methods.

Since phishing is the number one cause of security breaches (Webroot threat trends report 2017), this is

the primary focus of regular user testing through fake emails, that are designed to encourage the user into performing various actions mirroring the methods of real cyber attackers.

Users who are tricked into performing an action are redirected to additional education material. This material includes short, easily digestible videos, which help them learn the concepts that would have helped them avoid a successful compromise had the email been a genuine cyber-attack.

Have the information to recognise suspicious or unusual behaviour

Recognise their professional and legal responsibilities

Know how to react to range of cyber situations

Measuring Improvement

This experience is easily measurable both in terms of employees falling foul of the fake phishing emails, and their responses to the educational material through a series of questions.

It also allows improved targeting of future security awareness material, focused on either specific areas of your organisation that are particularly susceptible, or on specific types of phishing attack that have recently proven to be more effective.

As a holistic service this provides a managed, ongoing awareness programme, that equips your employees with the knowledge they need, to make them the most effective threat detection tool your organisation has.

Littlefish Head of Cyber Security Katy Hinchcliffe, is a highly regarded cyber security leader. With over a decade’s experience delivering a broad range of cyber security services to enterprise clients for global IT outsourcer Capgemini, notably managing the prevent, detect and respond functions on behalf of Rolls- Royce, Katy is now responsible for developing Littlefish’s Cyber Security practice.

About The Author

(5)

Contact us to learn more about transforming your users into an effective threat warning system:

Littlefish Cyber Security Services

Price House, 37 Stoney Street, Nottingham, NG1 1LS T: 0115 941 5111

E: [email protected]

References

Download now ( PDF - 5 Page - 4.75 MB )

Related documents

Quick Design & Install Guide. Computerised Emergency Evacuation System LONWORKS TM Powerline Technology

Zoneworks uses a combination of data cable and power line signalling to communicate with devices on the network. Zoneworks Power Line Routers are installed at each

Task Scheduling for Mobile Robots Using Interval Algebra

is static (the set of tasks is known beforehand) [4], but when a new task occurs a new scheduling problem is created to replace the previous one. The speed of the algorithm is

Nitrite-Induced Oxidative Stress, Histopathology, and Transcriptome Changes in the Mud Crab (Scylla paramamosain)

The RNA-seq analysis of the fish Megalobrama amblycephala exposed to nitrite stress has identified numerous candidate genes associated with oxidative stress,

DSLR-A230. Digital Single Lens Reflex Camera Instruction Manual. Preparing the camera. Before your operation. Shooting images

• When you copy images to your computer using an insufficiently charged battery pack, copying may fail or image data may become corrupted if the battery pack shuts down too soon..

Anomaly Detection Aiming Pro-Active Management of Computer Network Based on Digital Signature of Network Segment *

This paper proposes a novel anomaly detection system based on the comparison of real traffic and DSNS (Digital Signature of Network Segment), generated by BLGBA model, within

Asia Comes to Main Street and May Learn to Speak Spanish: Globalization in a Poor Neighborhood in Worcester

Walk just one block in either direction along Main Street in front of the Clark University campus in Worcester, Massachusetts, in the neighborhood known as Main South, and one

College Student Cheating: The Role of Motivation, Perceived Norms, Attitudes, and Knowledge of Institutional Policy

This study supports the hypotheses that motivation variables (extrinsic and mastery motivation), perceived social norms, knowledge of institutional policy, and atti- tudes

Risk Management Fundamentals

DHS decision makers should employ a comprehensive approach to understanding and managing risks so that they can enhance the quality of decisions throughout their organization 4 —