This is a summary of an article written for Threatpost by Derek Manky, Chief, Security Insights & Global Threat Alliances, FortiGuard Labs. The entire article can be accessed here.
The average cost of a data breach in the U.S. now totals $3.9 million USD. Among the types of attacks that cause these breaches – and keep security professionals up at night – is ransomware, a threat that shows no signs of slowing down. When it comes to defending against ransomware, security tools are only as good as the team that manages them. Everything from configuration errors to solution sprawl can weaken the power of enterprise cybersecurity defenses to detect and prevent cyberattacks. The biggest problem, however, is the human factor.
Cybersecurity awareness has grown in recent months – up to 95% of employees now receive phishing training so they can learn to spot suspicious emails. This is important progress, as most breaches start with a phishing email followed by an unsuspecting employee who opens a malicious file or clicks on a bad link. Despite this training push, however, the number of employees that can tell the difference between a legitimate email and a malicious one remains frighteningly low.
There are two ways to look at this problem: employees are not taking cybersecurity seriously, or ransomware attacks are getting even more sophisticated. Both angles are correct.
The numbers do not lie: there are still far too many employees who never change their passwords, and two-thirds still do not use a password management tool.
Putting this into perspective, it is clear that cybersecurity awareness programs are not accomplishing their goal. Years of training people to identify phishing emails, avoid clicking on suspicious links, and follow best practices with their passwords have not panned out the way InfoSec professionals would have liked. People know they need to use complex passwords, and yet they still use obvious choices that hackers can easily guess, like their pet’s name or the year they graduated from college.
The problem is not awareness – it is rooted in human behavior. Safe password practices – using long passwords with non-sensical characters and numbers, for example – take extra effort to implement. When it comes down to it, employees have shown that, for whatever reason, the extra effort is not worth their time and energy. Clearly, awareness and action are two very different things.
On the other hand, who can blame them entirely? In the corporate setting, there is typically no easy way for employees to manage a multiplicity of complex passwords. If they choose to use a password management program, one which generates complex passwords, saves them, and enables single sign-on access to all their stored passwords, it is only because of their own initiative.
And in addition to targeting vulnerable passwords, attackers still rely on targeted ransomware phishing attacks. In addition to broad brush attacks that target everyone, emails are also being cleverly written to target specific types of individuals at an organization, either directly or through a new technique where they insert phishing emails in an active email thread to increase the likelihood of it being clicked on. This type of attack is known as spearfishing. And if the target is a member of the C-suite, it is called “whale phishing”.
One answer to the awareness-action gap is to draw employees in to make them feel like they are part of the security team. Helping them understand the repercussions of a security event and how it personally affects them is a good place to start. Seeing connections such as these – between safe cybersecurity practices and the positive impact they feel they are making when everyone is engaged and responsible – should lead to direct improvements in how people behave when they are confronted with suspicious cyber behavior.
Some InfoSec leaders use gamification to engage users, while others have enacted internal phishing campaigns to pinpoint employees who are not being careful. Either way, the key to improving an organization's risk profile is getting employees involved, one way or another, in accepting and fulfilling their security responsibilities. With training, the right tools, and support from top-tier company leaders, security teams can help everyone take cybersecurity seriously. .
Find out how Fortinet’s Security Fabric delivers broad, integrated, and automated protection across an organization’s entire digital attack surface from IoT to the edge, network core and to multi-clouds.