Recently, due to the nature of my work, I was made aware of a cyberincident that was not widely publicized, wherein an attacker used social engineering techniques to manipulate a person into revealing their banking credentials, namely user ID and password. Using them, the attacker was able to steal the funds that were in the account.
Law enforcement professionals were unable to identify the culprit. The bank that oversaw the account in question expressed its inability to approve the customer’s claim for a refund. As a result, the customer decided to file a lawsuit against the bank for “providing a vulnerable Internet-based banking solution.”
During the hearing, it was established that the application and infrastructure hosting the application in the bank’s infrastructure was reasonably secure. The bank also sent periodic messages and emails to customers about possible social engineering attacks. Therefore, the bank argued that it was not at fault. However, to the bank’s surprise, the ruling judge observed that “Although the bank has taken sufficient care to protect infrastructure and data of customers, they failed in providing ‘enough’ awareness training to the customers about the possible attacks.” And then the bank’s security officer asked the question, “How much enough is enough?”
Further analysis of the case revealed that the awareness communications sent by the bank conveyed long messages in very technical language, therefore, most customers ignored them, resulting in their lack of awareness. Hence, whether training employees, customers or third-party suppliers, organizations must ask themselves “Are we doing enough to provide effective security and cyberhygiene training? Are all possible risk scenarios addressed?”
To determine if the current security and cyberhygiene training was effective and to decide what to do next, a discussion with various security and risk professionals (both inside and outside of the bank) was organized. Many suggestions and innovative ideas were proposed.
More traditional ideas that were discussed included:
- Conduct training in a classroom environment, focused on the most common source(s) of risk. However, this may be more accessible to onsite employees than to customers and other external stakeholders.
- Offer computer-based training (CBT) that is delivered via Internet/intranet to all constituents as per their time availability. However, it may be challenging to ensure that everyone has attended the sessions.
- Create posters that convey a security message with appealing images and display them in strategic locations. It is somewhat disadvantageous that measuring the effectiveness of the posters directly may be difficult.
- Deliver periodic (e.g., biweekly) messages via email or social media highlighting 1 topic at a time. For effectiveness, consider adding links to articles in the media that highlight the applicable area of vulnerability. For example, if the message is about not sharing passwords, add a link to an article that discusses the adverse impacts of sharing passwords. However, it may be difficult to find an article that will adequately support the security message. Although there are enough incidents on which articles can report, they may or may not drive the message appropriately.
There were also more innovative ideas that were brought up during the discussions:
- Arrange meet-ups hosted by select cyberprofessionals who have prepared topics for discussion, perhaps over coffee. There would need to be sufficient team members to conduct multiple sessions.
- Host monthly 20-minute online sessions focusing on specific security topics followed by a question-and-answer (Q&A) session. To ensure that most or all employees can view the topic coverage, consider recording the session and circulating the video to those not in attendance.
- Initiate a flash security session, similar to a flash mob. Whenever enough people are around, begin acting out a security-related scenario. This is effective for external stakeholders, particularly customers. Of course, it requires significant preparation.
- Produce a short advertisement to play over television networks. This is good for external stakeholders. However, cost and other resources may be an inhibitor.
- Announce a reward for the first employee to report a new security threat, vulnerability or incident. It will motivate people to be on lookout for areas of concern, which, in turn, makes them more aware of what secure behavior looks like. This is less costly and can also involve external stakeholders.
- Encourage senior management to lead by example. When others observe members of senior management following security best practices, it communicates the right message across the organization. However, members of senior management may be resistant to changing their behavior.
- Publish a small booklet and distribute it to all stakeholders. Note that this may be costly and it could be challenging to entice them to read it given the current digital era.
Which tactic is most effective? It depends on the requirements and culture of one’s organization.
Consider the following tips when preparing the contents of security awareness training:
- Training should extend beyond simple dos and don’ts guidance. It should provide a rationale as to why an action should or should not be taken. This helps trainees understand underlying risk so that they can adjust their cyberhygiene practices as needed to address changing threats.
- Make the first line of defense stronger by educating operational users on how to detect abnormal behavior in machines and people. This should include customers and external stakeholders using online services.
- Understand users and tailor cyberhygiene guidance to suit their needs. Common guidelines may be useful to some extent, but some users may require more specific training, particularly the external stakeholders who are most vulnerable to social engineering attacks.
- Try to implement automated controls wherever possible to reduce human error.
Sharing innovative ideas with constituents allows for increased collaboration and betters the likelihood of improving security. As a response to the cybercrime anecdote recounted here, the association of banks decided to make a joint effort to promote security awareness training for all customers and definitively agreed on what is considered ‘enough.’
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP
Is a consultant and trainer in IT governance and information security.