Malware, drive-by, trojan, phishing, man-in-the-middle.. just some of the terms used every day through the media, by security professionals and vendors, and awareness campaigns across organisations. Educating staff about the dangers they face in and outside of work can help an organisation’s security posture, whilst helping staff understand why security controls are in place.
It is widely acknowledged and accepted that staff, and their behaviour, is an integral part of any security posture. Yes, companies have tools and processes, alerts and reports, specialists and service providers, but it only takes one member of staff to open the wrong attachment, or click an enticing link, and that previously unknown threat takes hold.
Yet awareness often falls short of helping staff understand how to protect themselves when venturing online for personal use. The result of course is that staff do not develop a natural habit of thinking about security before transacting online. This ultimately devalues any awareness campaign, reducing any improvement in corporate security posture over time as they revert to their previous behaviours.
For security awareness to improve security culture, you have to change the way in which people think about security, regardless of whether they are in work, at home, an internet cafe or on the beach. This means you have to make the awareness relevant to them as individuals, help them understand the threats associated with online transactions and help them develop their personal approach to online security.
Making Awareness Personal
A great place to start is personal email. Email is seen as the keys to the kingdom, from a hackers perspective, as it is where most if not all of your online services will converge.
Your bank will email you to tell you a statement is ready to be collected [I now know who you bank with]
Online services, such as eBay or Tesco, will email you about services or offers [I now know you are registered with those services from this email account]
Your financial adviser or lawyer will contact you about your policy or house sale [I can now masquerade as you and attempt to withdraw or redirect funds]
It’s where password reset links end up [I can now reset nearly all of your online passwords]
The majority of personal email systems can be accessed from anywhere in the world, that’s the beauty of them. I can receive and send emails from my email account whether I am at home, on a train, in Mexico or even on the tube in London. I can do this from my phone, personal laptop, a friend’s laptop, in an Internet cafe; but If I can do this, so can anyone else who knows my password.
The effectiveness of a password is defined by a number of elements:
Complexity: How easy is it to guess, is it a word, a date, your pets name, can I guess it using common phrases
Privacy: Have you shared it with someone else, written it down, is it used to access a joint account with a partner, child or friend
Reuse: Are you using the same password for online banking that you are for accessing a forum site about fidget spinners
Unless a security professional or security minded, most will not have considered the points above. Passwords will be easy to remember, maybe written down, or used across multiple sites with differing levels of security provided to protect that password, and your information.
One of the easiest ways to improve online security is with Two-Factor Authentication, or 2FA. 2FA is the process of providing two pieces of authentication information, something you know and something you have. For example, logging into your email with a username and password [something you know], then being sent a 6 digit code by SMS to your mobile [something you have] which you then enter to successfully log in.
NOTE: You can also use an app on your phone, known as a software token, to generate the code. This approach is often seen as being more secure than SMS. I won’t go into why in this article.
2FA helps to mitigate the risks associated with someone gaining access to your password, as even with that they need to have your second factor to gain access. These services have been around for many years, yet the uptake is incredibly low. At a conference this Wednesday, 17th January, a Google employee stated that less than 10 percent of Google users had implemented their 2FA service.
Often people claim usability as a reason they won’t activate this additional step. If implemented properly 2FA will be an additional step, requiring 6 to 8 more key presses and one more mouse click.
The alternative of course is financial impacts that could be significant. As businesses develop their understanding of online security they are also developing their understanding of individuals responsibilities to secure their personal email accounts. Financial institutes and legal firms will always look to see who is at fault before attempting to recover or redress financial losses.
Security awareness campaigns are most effective when they improve the security culture within your organisation, to do this they have to modify the behaviour of staff so that security is considered by default. This cannot be effective or sustained if the moment your staff leave the office they stop considering security.
Show your staff how they can improve their personal security. Educate them on the risks they face outside the office. Provide them with guides and FAQs that do not just cover your business environment. Give them the ability to ask questions about security, of knowledgeable people, whether work-related or not. You’ll soon see their engagement and understanding improve, and with that your security culture.
To talk about delivering an effective awareness campaign, relevant to your organisation and the threats you face, but also to those of your staff, helping drive and sustain cultural change, get in touch with us: info@icaconsultancy.co.uk
For a list of online services that provide 2FA options, and their methods, see: https://2fa.directory/gb/