The last line of defense? Employees
Social engineering attacks remain the main entry point into organizations: ransomware attacks mostly start as phishing.
Witness one recent attack against casino and hotel company "MGM Resorts" which wiped out its entire Vmware ESXi infrastructure (cca 100 hypervisors):
the attackers first found an MGM Resorts employee on LinkedIn which they assume could have privileged access into the network. By impersonating the employee, they called the organization’s service desk and tricked them to obtain access to their account. By exploiting people and processes, rather than technology, they were able to take over the account and bypass multifactor authentication (Okta). Finally, with system administrator access they proceeded to deploy the ransomware attack.
Overall, the vast majority of breaches are caused by the human element: phishing techniques accounts for 3/4 of breaches - something consistently documented in the Verizon Data Breach Investigation Report. This underscores the importance of continuous security awareness training and phishing resistant multifactor authentication
Regulators are also catching up: the upcoming NIS2 directive explicitly names security awareness trainings as one of the key risk management measures to be mandatory implemented by organizations.
But it doesn't take regulations to understand that employees are the last line of defense against cyber attacks. Improving their resilience and ability to withstand tricky phishing attempts is therefore a crucial, and often neglected measure by many technology partners, system integrators, and managed service providers.
Yet to run effective security awareness trainings (SAT), there are some things to keep in mind:
The trainings must be continuous and repeating. You cannot run educations ex-cathedra once a year or once every few months. That is not enough in today's threat landscape. Trainings and education must rely much more on automation and software, to enable delivery at scale.
On the other hand, you cannot burden the employees with too frequent training sessions: they cannot be distracted all the time - after all, they are paid to do their daily job. Security awareness initiatives must therefore balance frequency and intrusiveness.
You also have to track on how employees are reacting to trainings, and how susceptible are they to phishing attempts. This means running internal phishing simulation campaigns to identify particularly vulnerable employees, and track the evolution of this vulnerability across time. Here automation is again key.
Are you considering SAT trainings as part of your service portfolio? Consider partnership with Proofpoint and offer services that address the human element in targeted attacks. Join the Proofpoint partner update in Zagreb on October 12th.
