COVID-19 and remote work have highlighted the struggle in implementing an effective cybersecurity awareness training program. SANS and other organizations offer security awareness training sessions geared for those working from home (WFH). And Gartner included: “Reinforce the need for remote workers to remain vigilant to socially engineered attacks,” as one of its security focus areas to promote better security habits for remote workers. It stated, in part: “Make sure you reach out to senior leaders with examples of target phishing attacks, and alert employees to the escalating cyberthreat environment. Remind them that they must remain focused and hypervigilant to suspicious activities.”
Many of the issues surrounding employee security education—particularly how to spot and handle phishing emails—isn’t just a WFH concern, and they should have been addressed long ago when the majority of employees were still onsite. And they probably were addressed, but the training is long forgotten or pushed aside without security and IT teams there to reinforce behavior.
Clearly, something isn’t working.
Time for a New Approach
It is time to stop thinking about security awareness training as a one-size-fits-all approach and use a targeted awareness training, said Steve Moore, chief security strategist at Exabeam, in a video chat during Exabeam’s Spotlight20 virtual conference.
It makes sense when you think about it. Security systems are (or should be) designed for specific organizations and their needs, and cybercriminals send out targeted phishing emails, so why shouldn’t security awareness training be done that way? We need to stop treating all departments and employees equally when it comes to training and recognize what and where the greatest risks are across the company.
During COVID-19, rethinking the approach to awareness training is especially necessary, Moore said, because threat actors have changed their approach.
“Weaker organizations are getting compromised. They are getting owned at some level, either at an individual account level or a network level,” Moore explained. “The adversary goes in and the environment is compromised.”
The goal of the threat actor is, if they can’t get to the original target, they get as close as possible, and then begin to move around the network.
“That’s not just a technical risk, but it becomes a third-party risk,” Moore said. “You don’t know who to trust.”
Targeting the Training
What is happening, Moore said, is threat actors are targeting individual people during COVID-19, in particular researchers and scientists. Adversaries are focusing on the individual scientist because they know the valuable data is there, and it allows them to get to their goal.
“Because we know that the target is going to executives, administrators, database admins, assistants to executives,” Moore said. “Because we know this, we’re going to provide a concierge approach to security, including specific awareness training and enhanced monitoring.”
After all, if a cybercriminal can create a targeted attack, cybersecurity teams should be able to create targeted awareness training to combat attacks.
It starts with enhanced monitoring, through which IT and security can develop what Moore calls a watch list. This list can include employees of a certain rank or title, in designated departments, or have access to sensitive data. Once that list is created, the security team looks for alerts around those people. This decreases the risk level for these high-target employees.
At the same time, watching alerts offers a profile of the types of attacks against these people, and from that profile, a security awareness track can be designed for them. Spearphishing using the email address of an executive or other high-level official has been a frequent style of attack during the pandemic. Security awareness would include how the targeted persons can recognize a potentially spoofed email versus the real thing.
This can trickle down to other employees, matching security awareness that impacts individuals or teams of workers. People in marketing, for instance, could have specialized training in social media disinformation attacks—not just how to notice them, but how to build a response when the company is under attack. But that probably has no significance to the accounting department, whose training should be specific to spotting risks against the financial system.
Security awareness training shouldn’t be treated as something separate but should be built into each person’s job duties. Once employees at any level see how security awareness fits into their responsibilities, security best practices will be built in and become second nature.