Top security priorities: end-user security awareness

In the summer of 2022, bad actors launched a sophisticated smishing campaign against Twilio, a communications platform. This campaign targeted former and current employees by mimicking messages sent by identity provider Okta with links to update passwords or complete other familiar actions. The threat actors were even able to match employee names with their phone numbers.

Indeed, even with strong security measures, your organization isn’t immune to phishing attacks like this one. Phishing is the most common attack vector, with 41% of attacks recorded by IBM in 2021 resulting from phishing. And the number of attacks keeps increasing: APWG recorded almost 1.1 million attempts in the second quarter of 2022 alone.

It makes sense after all—social engineering attacks like phishing don’t necessarily require complex technical knowledge like this attack did. As an IT professional, you know this. But do your end users?

Developing a strategy to improve user security awareness

Let’s talk strategy. Bad actors are getting more clever, and new ways of gaining access to your organization are developed daily, which is why it’s critical to develop a holistic strategy to defend users from social engineering attacks.

Hiring and onboarding employees

This strategy starts at the very beginning of an employee’s tenure at your company. When hiring a candidate, it could be beneficial to look beyond a standard background check and do a social media analysis to check that the prospective employee has values that align with the company.

Upon hiring, it’s important to deliver your organization’s technology-related expectations during the onboarding process. This includes the organizations policies and attitudes around IT security and personnel management. These policies could regard:

• Standard operating procedures: What are your organization’s best practices for IT? This can include how to file an IT ticket, how to login to their accounts, how to handle lost or stolen equipment and more. Employees should be informed of acceptable use policies (AUPs) and general security policies—for example, what company information should employees avoid sending in an email or on social media. They should also be told how AUPs will be enforced and their acknowledgement of the policies should be recorded with a signature.
• Job rotation: While not necessarily applicable to all organizations, it can be helpful in some to switch people to different positions periodically. This helps organizations ensure all staff know how to perform multiple roles and prevents people from getting so comfortable in their role that they perform actions beyond their authorization level. This can also make it easier to detect suspicious activities and mitigate collusion.
• Separation of duties: Separating duties by role ensures that not one single individual can perform all critical actions that can damage a system. For example, perhaps a developer cannot send their own changes to production, but instead have to send it to be reviewed. Similarly, there are some responsibilities where multi-person controls can be implemented, such as requiring two signatures on a large check before it can be deposited.

Understanding user behavior

Part of informing users effectively is understanding their habits and behaviors. After all, this understanding is what fuels successful phishing attacks.

• Passwords: Passwords should be complex and not include common words or names of the user. They should never be shared or written down, and should be changed often. Ideally, a password policy should be established to enforce these rules.
• Social engineering attacks: Users should be well informed about the concept and methods of social engineering. They should know about the risks of tailgaters, unauthorized hardware in the building, common phishing and smishing tactics and more.
• Personal devices: Users should understand the risk of using personally-owned devices at work. Security risks can be mitigated here by using mobile device management and forcing users to enroll their devices to access company resources. (Check out the first post in this series for more information about BYOD programs).

Training end users

Training during onboarding is important, but onboarding can be an overwhelming time for new employees. It’s likely that some information will fall through the cracks as they learn about their new company and responsibilities. That’s why training should be ongoing throughout the employee’s tenure.

Training should cover IT policies, including those mentioned in onboarding, and address how user habits can impact cybersecurity. It should also be periodic and relevant to each user’s role. For example, a standard user should understand how to use their device and how to recognize common issues like malware. A privileged user with elevated permission should receive more in-depth training.

Most of us have sat through long, tedious training, whether cybersecurity related or not. How much information do we all gain from these trainings? Successful training programs need to be informative while being entertaining. Here are a few training techniques to consider:

• Phishing campaigns: Phishing campaigns send simulated phishing emails to employees. This helps your organization by seeing which employees click on the links and need additional training.
• Capture the flag: More for security personnel, this technique challenges employees to apply their security skills to perform attacks. This can help new employees spot attacks and know how to prevent them.
• Gamification: Just like it sounds, this technique strives to make training fun by turning in into a game. It could include competing with other users or by playing a mini-game on the training platform.

Offboarding

Lastly, you should establish an offboarding policy that sets everyone up for success. It’s critical to receive all company equipment back, including computers, phones, ID cards and any other issued items. The employee’s account should be disabled to ensure they don’t have access to any internal systems or applications. Ideally, there aren’t any systems or accounts that rely on credentials known by the exiting employee; if this happens to be the case, ensure that this information is given to current staff and credentials are changed.

An ounce of prevention…

Increasing user awareness of cybersecurity risks is critical for enhancing your organization’s security posture. But on it’s own, it isn’t enough. Reinforce your security by making the chance of user mistakes less costly or more difficult. For example:

• Enforce password policies for complex passwords that frequently change
• Use SSO and identity providers to reduce the need to remember multiple passwords
• Create a BYOD program to prevent granting users uncontrolled access to company resources
• Zero Trust Network Access (ZTNA) seamlessly gives employees access to the tools they need, wherever they need it, while strictly verifying the user’s identity

Key takeaways

• Your organization’s security is dependant on your employees, so it’s crucial to start security training at onboarding and continue through their tenure.
• Understanding and responding to user behavior aids in developing successful training programs.
• Training programs should be engaging and informative to be effective.
• Using ZTNA network architecture, SSO with cloud identity providers and mobile device management mitigates risks despite user intervention.