One of the key ways to defend your organization against cyberattacks involves your own employees. In order to protect themselves and your business against phishing campaigns, malware and other types of attacks, your workers should have a certain awareness of cyber incidents and more importantly security best practices. But a recent survey from security provider Armis reveals a lack of knowledge in certain areas of security among many respondents.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Conducted in May 2021, the survey received responses from 2,004 working professionals across the United States. The respondents came from a variety of industries and sectors, including education, finance, healthcare, IT & telecom, manufacturing, sales, media and marketing. The goal of the survey was to gauge the awareness of recent cyber incidents and proper cybersecurity practices among the professionals, according to Armis.
The recent ransomware attack against pipeline provider Colonial Pipeline and the recent hacker attempt to poison the water in a Florida treatment plant have both been in the news. Both incidents received a fair amount of coverage, not just in the tech press but in the overall media. Yet 21% of the professionals surveyed by Armis had not heard about the attack against Colonial Pipeline. Further, 45% of the respondents were unaware of the hack against the Florida water treatment plant.
Even among those familiar with these recent cyberattacks, some don’t see any lasting impact. In response to the ransomware threat, Colonial Pipeline was forced to close its pipeline for a while. In another incident, JBS Foods had to temporarily shut down its meat processing operations in the U.S. and Australia following a ransomware attack. However, 24% of those surveyed by Armis said they didn’t think the attack against Colonial Pipeline would have any long-lasting effects on the U.S. fuel industry.
On the plus side, however, those surveyed did acknowledge the overall potential effect of cyberattacks on society. An overwhelming 86% of the respondents said they believe that attacks on critical services, such as oil suppliers, healthcare services, police departments and water treatment facilities, could have a major impact on everyday life.
Since early 2020, the coronavirus pandemic has forced more people to work from home and use their personal devices for work projects. Now that businesses are starting to open up again, many employees are moving to a hybrid model of working both at home and in the office. As such, they’re more likely to bring the same devices from home or another remote location into the office. Does that pose a security risk? That depends.
If an organization tightly secures the device and ensures that the worker follows proper cyber hygiene, the risks should be minimal. But that’s not always the case. An unsecured device combined with an employee unaware of security best practices can easily open the door to increased cyber threats.
Some 71% of the professionals surveyed said they plan to bring their work-from-home devices back into the office. Despite the possible risks, more than half (54%) of the respondents said they don’t believe their personal devices pose any threat to their organization. However, some 27% of those surveyed said that their companies don’t have any existing policies to secure both work and personal devices.
But is it fair to presume that non-technical employees should be aware of the latest cyber incidents? And does a lack of knowledge about attacks in the news even play a role in a worker’s cyber hygiene habits?
“This report from Armis suggests that the general populace remains woefully unaware of significant cyberattacks, but even if 100% were aware, is it clear that they know what part they play in keeping organizations secure?” asked Sounil Yu, chief information security officer at cyber asset management firm JupiterOne. “How significant of a role should they play? Would security policies prohibiting or controlling the introduction of personal or IoT devices have prevented the attacks on Colonial Pipeline and the water treatment plant?”
Automatically expecting your fellow workers to become knowledgeable enough about cybersecurity to help combat attacks is foolhardy, unless you provide them with the right training. Employees need to understand how such attacks relate to them and their jobs before they can dedicate themselves to joining the fight.
“Security awareness needs to be tailored to what is relevant to the employees and ideally delivered near time to them during incidents,” said John Bambenek, threat intelligence adviser at intelligence provider Netenrich.
“Knowing the specifics of recent utility attacks doesn’t translate into employees knowing which attachments to not open or which phishing links to not click on,” Bambenek added. “When employees generate security alerts, having a discussion with them in a very non-hostile way to use those moments as educational are important. Phishing simulations have also yielded some results, but the more that you can make security awareness relevant to what the employee actually sees is critical.”
Yet an employee’s awareness and understanding of cybersecurity is vital as most attacks are directed toward them. A lack of awareness turns an employee into an easy target for a cybercriminal looking to access an organization’s network via a phishing attack or social engineering, according to Joseph Carson, chief security scientist at security firm ThycoticCentrify.
“Ensuring that employees at every level are given sufficient training, such as how to identify malware-laced emails and other rudimentary attempts at credential theft, can be a major step to help reduce the success rate of an attack or at least raise an alert,” Carson said. “By normalizing training within the culture of the workplace, organizations can help maintain attentiveness for these practices long term.”
Finally, organizations need to invest the time and resources into both employee education and security technology as a two-pronged approach toward combatting attacks. Toward that end, AJ King, CISO at incident response firm BreachQuest, offers the following suggestions:
- Hire dedicated security awareness people that aren’t engineers but rather marketing professionals who know how to engage an audience to educate your employees.
- Implement technical tools that prevent people from making easily preventable errors.
- Set up multifactor authentication, especially for email systems, VPNs and privileged accounts.
- Remove local admin privileges for standard users.
- Adopt a password manager across your organization to improve and ease password security for all employees.