Symantec’s vice president of information security, Brian Dye, delivered a rather strange moratorium recently. “Antivirus is dead,” Dye told The Wall Street Journal. “We don’t think of antivirus as a moneymaker in any way.” The article said Symantec is not the only antimalware provider that feels this way, and explained, “Rather than fighting to keep the bad guys out, new technologies from an array of companies assume hackers get in so aim to spot them and minimize the damage.”
To be fair, throughout history, the bad guys have always had the upper hand. They know what they’re going to do. Defenders can only guess, or attempt to protect every asset from all possible exploit scenarios. To make matters worse, the chasm is increasing due to criminals exploiting the internet. Never has it been easier for nefarious types to obfuscate their tracks, change modus operandi, or hide in plain sight.
One only need consider the Target breach that exposed sensitive personal and financial information on more than 100 million loyal shoppers. The entire exploit started with a simple phishing email received by an employee of a Target-contracted third-party HVAC company, who unknowingly activated embedded malware. That was the all-important first step needed by the attackers to gain access to Target’s internal network.
History, the Symantec announcement, and the Target breach all point to the fact that technology alone is not the solution. It requires something more. In the case of the Target breach that “more” would have been an increased awareness of phishing email fraud by the HVAC company’s employee.
Culture of security
What seems to be needed by those who work with computers is a digital sixth sense. That awareness may have alerted the HVAC-company employee into deleting the phishing email instead of activating the malware. But how does that mindfulness come about? One interesting possibility is creating a company-wide culture of security.
The Oxford Dictionary defines culture as, “The customs, arts, social institutions, and achievements of a particular nation, people, or other social group,” and, “The state of being free from danger or threats, and or the state of feeling safe, stable, and free from fear or anxiety.”
Putting the two together might look like this: “The ideas, customs, and social behavior of a particular people or society that allows them to be free from danger or threats.” That definition came from Kai Roer, founder of the Roer Group, a management consulting company that has provided information security training to companies and their employees worldwide. Roer said the only way to improve a company’s information security consciousness is to create a security culture within the business. In order to do this, Roer developed the program he calls a security culture framework.
Security culture framework
The security culture framework consists of four building blocks:
Metrics: What to measure, why, and how: In this case, metrics are the defining of baselines, setting of goals, and measuring progress. Baselines are an important first step. They allow the company to analyze its strengths, and more importantly its weaknesses. After baselines are in place, the next step is to set milestones. That way company management and employees can see tangible evidence of an environment with improving security. There are two types of milestones in the framework:
- Result goals are tangible and measureable goals, such as within six months the number of “password reset due to forgotten password” incidents should be reduced by 50 percent.
- Learning outcomes are more nebulous. The goal being to convince employees that rules have a definite purpose. For example, explain to employees why strong passwords are important, and what can happen if passwords are weak.
Organization: Create a security culture team, define target audiences, and build company-wide support. Something to consider, this program is about change, and it’s only natural to be somewhat adverse to change. However, people are more willing to accept new things, changes, and extra work if they understand why. Also, getting buy-in from upper management is vital. The program will fail if C-level executives adapt the “Do as I say, not as I do” attitude.
Topics: Areas most likely needing training include technical processes (spotting phishing emails), company policies, government regulations, and topics specific to the company. Some examples:
- Social media
- Bring Your Own Device (BYOD)
- The mobile workstation
- Secure login
- Social engineering
- Safe behavior on internet
Roer said training should progress, but not be rushed. “Long-term results are created by carefully crafting a plan to build a security culture you want over the course of several years,” Roer said. “Some topics are relevant at different stages of an employee lifecycle. One example would be introducing new employees to policies and regulations when they begin working.”
There should be evaluation procedures in place to ensure training is working correctly, for example: tests, questionnaires, and/or interviews. Roer is fond of peer reviews as a way to build competence, and promote an environment where sharing and caring is important. And above all avoid negativity.
Planner: The purpose of the planner building block is to create an overview of the framework training activities and when they are completed. This information is then compared to the initial schedule to ensure company goals are being met.
One side benefit of the planner is it becomes a history of what worked, and what did not. Since the security culture framework is an ongoing campaign, this allows the management team to reinforce components that worked and revise those that did not.
The security culture framework depends on employees working as a community. It is interesting to note the security culture framework website is also a community where member participation is encouraged to download template, discuss best practices and learn how to create security cultures within organizations.
The steps comprising the security culture framework are based on these building blocks. Like any journey, the first step is always the hardest, which in this case is selecting the team that manages the entire security-culture program. The success or failure of the program rests on their shoulders.
Set up team: Create a team that will be responsible for nurturing the company’s security culture. It is important to include personnel from all major departments to eliminate knowledge voids.
Define goals: Desired goals or where the company wants to be with regards to information security.
Measure current status: Measuring the current information security status by the management team needs to be an honest assessment of current conditions. This will allow team members to determine true progress going forward.
Define target audience: All employees who use computers need to be included to ensure they understand their role in the company’s security culture.
Choose topics: This critical step will determine who gets what training. For example, the unfortunate HVAC company employee would most likely be attending classes on how to spot phishing emails.
Plan and execute: The training in each topic should always be tied to increasing one’s awareness (sixth sense) and cooperation in the company’s security culture.
Measure, revise, and restart the process: The security culture attitude is tenuous at best, and needs constant attention. New employees, those with negative attitudes, training that is ineffective, and a myriad of other issues need to be addressed in a timely fashion.
Will this help?
If asked, those in charge of the company’s digital security will say employee training is an important piece of the overall security puzzle. However, is employee training enough, or do companies need to embrace concepts like the culture of security. Albeit hypothetical, let’s see if any conclusions can be drawn by pretending the HVAC company, contracted by Target, embodied the security culture framework–would the employee implicated in the phishing attack have acted any different?
According to the framework’s steps, the HVAC company will have in place a management team that is aware of security issues specific to the company, and how employees will react when a situation involving security arises. The management team created a baseline when they started the program, and periodically measure their improvement compared to the baseline. The continued assessment helps the company determine if their goals are being met, and whether or not employees are embracing the culture of security.
We know the HVAC company used email. It is not a given, but a fairly safe bet the person in charge of information security understands the impact a successful phishing email would have on the company, especially since the company has access privileges to important clients such as Target. That information, according to the Security Culture Framework, was relayed to the management team. The management team in turn required employees with email access to take additional training, possibly an online course similar to this one. This particular class provides:
- Training so employees understand how to identify cyber-security traps within emails
- Instant feedback when a threat is assessed incorrectly
- Analytics gathers actionable data about the types of traps that fool your employees
- Retainable training results
Because of the “measure and revise” step, the management team would know when the employees have completed the class and how well they did. A key component to the framework is that the process never ends. Bad guys continue to find new ways to leverage people. The management team is well aware of this, and periodically reschedules the phishing email training.
A few assumptions were made in the above example. Also, it is difficult to gauge how well the intangible aspects of a security culture are accepted by the employees. That depends, in large part, on upper management. All said and done, it seems a company with employees trained and embracing a culture of security would be in a good position to spot phishing emails similar to the one that led to the Target breach.
There are challenges, Roer said. “If I am to name a challenge, it would be having enough resources to implement the security culture framework. I would love nothing more than to see small companies implement the security culture framework. However, right now it is a better fit for enterprise-sized organizations. That said, we are working hard to change that.”
Examples of a security culture framework in action
As for real-world examples, Roer said it was company policy to not provide names, but he could provide some information about companies and their experiences with framework. The first example is a Detroit financial institution:
Roer said, “The company is using the security culture framework to build a sustainable security culture in their organization. The biggest challenge is keeping to the planned schedule, even with that, they report progress. The finance organization is currently working with our US partner VioPoint, a security-consulting company that offers the security culture framework as part of their consulting practice.”
In Europe, Roer has made inroads in the oil and gas industry, manufacturing, and government agencies. He said, “The European companies appreciate the flexibility of the Security Culture Framework. Flexibility made it easy to adopt to each organization’s needs, no matter the maturity level of the organization.”
Technology as it stands is not capable of judgment calls (phishing email or not), making it a reactive defense based on historical data. Enhancing technology with employees wielding a security-culture augmented sixth sense, and the odds of maintaining a secure digital presence seem more assured.