With phishing continuing to plague businesses, James Mason, service security manager at Fordway, found an innovative way to battle back that gave the power to the employee.
Phishing scams have been around for years but it’s for a very good reason – people continue to fall for them, particularly in tax season. The National Cyber Security Centre has also pointed out that criminals take advantage of data breaches, so customers of an organization which has suffered a breach are likely to be targeted with phishing emails purporting to be about the breach, regardless of whether their details have been compromised.
The most effective way to prevent this is to educate people about what to look for and avoid, which means understanding why they fall for phishing messages in the first place. Social media provides many opportunities for phishing and experts say there is a trusting culture, so people do not treat links in Twitter with as much caution as those in emails. Researchers recently claimed that a new automated spear-phishing framework had a success rate of between 30% and 66%.
Individuals also give out too much information on social media which can then be used against them. The ultimate example is a sanctioned penetration test reported at a 2015 conference, where security experts used fake Facebook and LinkedIn profiles pretending to represent a smart, attractive young woman to penetrate the defenses of a US government agency with high cybersecurity awareness. This demonstrates that social engineering attacks can be effective against even the most technically sophisticated organizations.
Effective user education will help your staff to avoid falling for these attacks. This means training everyone in your organization – including senior management – about different types of threats and how to prevent them. You should make sure that they know exactly what to do and who to contact should the worst happen. It is vital that they feel able to ask for help if they think they may have mistakenly clicked on something malicious, rather than burying their head in the sand and hoping for the best.
One effective policy which we have implemented as part of our user education is to have security champions in all departments. Security champions are usually volunteers with an interest in security. The aim is to have a minimum of one security champion per department who is happy to represent their department and provide some knowledge sharing between security champions and their team members. The specialist skills of these staff can also be put into use, ranging from technical to marketing and managerial.
"Having security champions ensures that security is embedded in day-to-day activities and reminds everyone of their personal security responsibilities."
At Fordway, I founded the security champion initiative and initially approached the senior management team, and then line managers, to gain acceptance. With this obtained, I got approval for the time commitment required and asked for volunteers. One key advantage of using volunteers is that they genuinely have an interest in security and do not see it as something that the company has imposed on them.
Best security practice is based on all staff taking an interest in, and responsibility for, protecting data and systems. Having security champions helps to build that across each department and team. It ensures that security is embedded in day-to-day activities and reminds everyone of their personal security responsibilities, while sharing knowledge and best practice and providing a channel for feedback that is often incorporated into the information security strategy and, at times, the ISMS risk register.
In my experience, it can unleash previously hidden knowledge and assist in prioritizing security activities using facts from staff across the organization, helping to ensure a holistic approach to security. A number of champions also like the fact that they have a say on security and what should be prioritized, so that company priorities are based on collective facts from staff across the company.
The security champions initiative has been in place for a few months now and has provided some excellent feedback on security matters. Ideas and suggestions have been added to the Service Security Action Log, project engagements and/or ISMS risk register, as appropriate, to ensure that they are implemented and tracked.