By Joshua Foltz
One morning while enjoying my coffee I get a call from our CEO.
“Have you spoken with Joseph? (not his real name)”
“No, why? What is going on?” I replied
“I think he got hacked or something.”
So, I reach out to Joseph, who had no idea anything was wrong. I let him know I just got a call from our CEO.
“Oh, I wonder if there is something wrong with the gift cards, I sent him”
“Oh no… what gift cards?” I asked, beginning to realize what had happened.
Joseph began to explain to me how the CEO was very busy and asked him to go buy some iTunes gift cards for him. Once purchased Joseph was to scratch off the secret code, take a picture of the card and send it back to the CEO at his Gmail address. Joseph being the over achiever that he was, spent the day before driving around town to different stores to collect enough gift cards to meet the request. 25 in total. He then dutifully took pictures of each card, organized them and sent them off.
Joseph had fallen prey to a spear phishing attack because he was conned into believing he was interacting with the CEO… not an attacker half way around the world.
Unfortunately, this is not an uncommon story. It is well known in the hacker community that the human, your employees and your client’s employees, are often the weakest security link defending any organization. These con artists use manipulation, also known as social engineering, to trick users into providing them with valuable data that they intend to use maliciously.
Most employees want to be secure, however since they are also trained to be polite and helpful. Great employees will even go out of their way when they hear that there is an urgency and that they are needed. Employees will often also react when they think they are in trouble or have done something wrong. Hackers will use these psychological truths to manipulate employees into giving information and performing actions that result in a compromise and or loss in one form or another.
What can be done? Here are a few very simple things you can do to educate these folks and help them make wise decisions.
- Plan – Your security awareness program should not be ad-hoc or flying by the seat of the pants. Consider the risks in your business and focus on the critical items, ensuring relevant security topics are covered thoroughly. You should have one-to-three main topics that are conveyed in every security communication. Think hard on these, ours are:
- Always be suspicious
- If something is weird, call security
- Security is your responsibility
- Security Awareness Training – Training should cover the basics of security and can be as simple as a few slides recorded on a webinar platform that employees watch at hire and annually. I highly recommend that this training be interactive, engaging or relevant to the company… otherwise viewers will tune out. This training is foundational and likely required by some regulation to which you are subject.
- Loop Employees In – Let your employees see actual attacks. At opportune times, send out a company email showing a recent phishing attempt, detail phone calls scam received, or show screenshots of compromised software and websites. These emails make the threat real and actionable. They may have just received one of these and this aids the learning process. Make these emails short and sweet. Lengthy emails will keep users from opening them in the future. Give all the good data up front, make important topics stand out with bold or italics and include pictures.
- Constant Contact – Most business books will state that employees as a whole do not respond until the 7th contact. Consider taking your two-hour security training and breaking it into 15-minute chunks that can be spread out over the year. Or create a topical security update every six weeks to keep users thinking learning about security all year long.
- Vary Platforms – Some users will read and appreciate emails; some will simply toss them away. Consider “potty posters,” screen savers, posters around the office, Instant Message platforms, Office screens, etc. There is no shortage of ways to communicate.
- Targeted Training – Provide different training for engineers than you do for sales or marketing. The attacks that are effective on these groups are targeted and unique, so ensure they know what they need to know for their specific role. Consider the risks associated with these departments and make sure the appropriate threat vectors are covered.
- Gamify – Test employees. Reward them. Make security fun instead of a chore. Who knows, they may even enjoy this training. There are a large number of platforms out there you could use to launch a phishing attack. Consider rewarding the winning team with lunch or a set of black belts for being security ninjas at the next company meeting. Get creative and have fun!