We are often asked by organizations how they can better train their employees to prevent them from clicking on malicious links or being susceptible to attempts by hackers to make their way into their networks. The rise in the frequency of this question means that organizations are finally starting to realize where the weak links are. Below are some general thoughts on how you might fix the weakest link in the security of your organization.
Humans by nature are extremely trusting which is what makes them the weakest link in the security of any organization. This is particularly true when you have individuals that do not understand how the technology they use works. These days everyone is used to the old Nigerian Prince scam and can usually spot it a mile away, but they aren’t used to very targeted spear-phishing attacks which are the types of attacks that yield the most success.
When a hacker really wants something, they will go the extra mile and do lots of research on an organization before conducting an attack. They will visit the website, make phone calls to employees, and sometimes even meet individuals in person. Social engineering can provide a gold-mine of information that an attacker will use before launching a campaign.
Attackers will then send a legitimate looking e-mail “from” your boss or some system administrator hoping you will click a link or provide credentials. Most employees won’t pay attention to detail and notice that domain name is actually one character off, and will respond because the boss just shot them a note. Hackers will leverage simple psychology when conducting these types of “sophisticated” attacks.
Training employees and altering this behavior is more than just a game of tell. You must also show. Most individuals have picked up a number of bad habits because the technology they use at home has imposed these bad habits on them. Think short-urls on twitter – do you really know where that link is going to take you? Until a user understand that this short URL could be going to some malicious site, and you’ve shown them what could happen, they will not fully comprehend the risks.
For organizations looking to really improve their security, you have to focus on the employees, and you have to continually invest in training. Humans, after all are the weakest link because we are creatures of habit. Unless they are repeatedly hit with this information, they will eventually forget. Run spear-phishing campaigns against your employees. See who opens, clicks, or even submits data, and then re-educate. Wash rinse and repeat.
If you’re interested in hearing more about how we can help you with securing your weakest link to protect your organization, feel free to reach out.
Written by Tim Tutt
Chief Technology Officer, Data Ninja, Technology Enthusiast