Phishing with emotion and stress results in bad choices

/1 Comment/in , , , /by
Recently on one of my personal sites, I received the below phishing attempt:

Phishing

I see a ton of phishing examples as part of PeopleSec’s Security Awareness Training and Education (SATE) program.  It is not often a phish in the wild catches my eye and looks like anything other than spam.  This email is an excellent example.  It causes stress that invokes an emotional reaction which in turn solicits an emotional response.

“Emotions can cloud our judgment and influence our decisions when triggered by the [stressful] situation at hand,” stated by Harvard Business Review (https://hbr.org/2015/05/dont-let-emotions-screw-up-your-decisions).

Emotional responses are at the core of successful social engineering and phishing attacks.  As an aside, the success of emotional responses is why we use so many of them in PeopleSec’s SATE program.

In summary, it is hard to keep emotions in check, and they cloud your ability to think.  So when you are stressed and emotional, Think Before You Click.

 

Social Engineering Attacks Driving Security Awareness

/0 Comments/in , , /by

Social engineering and cybercrime are on the rise around the world. Business owners need to pay attention to current trends in the world of information security (infosec).

In 2005, the United States Bureau of Justice Statistics reported that 60 percent of American companies had detected at least one instance of cybercrime. Tech giant IBM believes that businesses are much more likely to be targeted by cyber attacks than they were 10 years ago.

Despite the sophistication of today’s infosec strategies, the global cost of cybercrime is expected to elevate to $6 trillion on an annual basis by 2020.

The Human Aspect of Infosec

Business executives who are concerned about the security and integrity of their information systems, should start paying more attention to their greatest source of weaknesses and vulnerabilities: their own employees.

Some of the most brazen and successful cybercrime groups take pride in their their social engineering prowess. In mid-September, the FBI arrested two suspects believed to have gained access to the email accounts of CIA Director John Brennan and National Intelligence Director James Clapper. These criminals are part of the cybercrime outfit known as “Crackas with Attitudes”.  They tricked government intelligence employees into giving them username and password credentials by pretending to be Verizon technicians.

Through a series of telephone calls and electronic communications, malicious actors gain entry to networks. These threat actors also harvest key information about how a business operates; this is known as social engineering, and it is something that average employees may not be familiar with.

Preventing Social Engineering Through Security Awareness

One of the greatest weaknesses of infosec is that it often falls short in terms of outreach and employee engagement. IT security procedures are often presented and enforced in a stern and ominous manner. This does not appeal to employees because they don’t know much about it.

Practicing good infosec in the workplace comes down to awareness. Malicious hackers overwhelmingly target employees because they know that the average worker does not know much about infosec. Companies cannot expect entry-level clerks to be familiar with social engineering and read their CIO subscriptions during lunch breaks.  

Employees do not realize that they can unwittingly become attack vectors because they lack situational awareness. In other words, they are not familiar with how cyber-crime groups operate.

Security awareness programs in the workplace need to go beyond drilling employees on their knowledge of infosec policies. Staff members must know why it is important to protect the information of their company, their customers, and their colleagues. The best information security measures will not help a company if employees remain vulnerable. Starting with simple steps can get most employees moving in the right direction.

7 Steps for Success with Security Awareness Training and Education (SATE)

/3 Comments/in /by

The term “company culture” is a buzzword that has been floating around for the last few years. While that brings to mind images of ping pong competition and in-office happy hours, there’s another element of company culture on the rise: security. Even companies with the best product or service can fail with a weak security culture. The best way to prevent this is by creating a strong security awareness training and education program, often called a SATE program for short.  A strong SATE program is important. If you’re wondering where to start, here are the essential components of a good plan.

A Plan for the Plan

Sounds redundant, right? You can’t put together a good plan without a plan. Some companies opt for long-term plans that span a year or more, but using a shorter 90-day plan is more effective. This allows you to reinforce what you’re teaching employees, while reevaluating goals to see what is most effective every few months.

Remain Realistic

Part of putting together a strong security awareness training and education (SATE) program is being realistic. Clearly there are something things that just will not be tolerated, but banning all social media, for instance, is unrealistic. Chances are, employees will spend some time on social media, particularly if your company leverages social media marketing. Instead of hoping people will stay off, offer useful tips on how to minimize security risks while using social media.

Creativity is Key

Companies with big budgets might find putting together a plan a lot easier than smaller companies on a tight budget. For small companies, that just means using a little creativity. For example, during the next team building event, set up a booth with common security violations. Teams that can identify all of the violations the fastest win a prize, the points, etc.

Mix Up the Materials

Being creative also means using mixed materials to drive home the main components of the program. Too many companies think just sitting employees in front of standard security modules is enough. Aside from being boring, this type of teaching often doesn’t help people retain the information. Consider using varied materials like blogs, games, and newsletters.

Partner Up  

Creating a successful security awareness training and education (SATE) program requires working with other departments like marketing and human resources. Often, these departments have interests that crossover with your own. Instead of trying to do it alone, reach out and see how you can work together. The outside input will also help bring new and fresh ideas to the table.

Get the C-Suite Involved

Pretty much any project backed by a C-Suite will be easier to pursue—it will also be easier to get other departments involved. This can be more challenging in bigger companies, and you might have to settle for senior management. In small companies, however, you might start by creating special materials or a presentation highlighting why implementing a security awareness training and education (SATE) program is important.

Measure and Metric

You only know if your efforts are successful if you measure them. Before setting the ball in motion, you will need to get a baseline of employees’ awareness. This can even include taking the temperature of people’s attitudes toward security. It is also important to know how many security incidents have occurred prior to the program. Then, as you start to implement phases of the plan and see measurable results, you can share those with the C-Suite as justification for the program and your efforts.

 

Why Implement a Security Awareness Training Program?

/0 Comments/in , /by

Security systems are only as strong as their weakest link. When it comes to modern information security, that usually means humans. Even the best security system is defeated when a user gives away their password. The way to prevent this is by making sure everyone in the company has an adequate level of security awareness.

What Can Security Awareness Accomplish?

The primary purpose of security awareness training is ensuring that everybody in the company understands how to avoid security breaches. Hackers can still do some damage even if everyone does everything right, but it makes their job a lot harder. Employees who learn to recognize the warning signs of an attack can also take steps to minimize the damage. Which includes making sure that they don’t do anything to make it worse before the security professionals solve the problem.

Understanding is Important

Some companies try to save time by giving their employees a list of rules to follow in order to prevent problems. Instead they should be  teaching them about security risks. That approach is better than nothing, but it suffers from a few fundamental problems.

People who follow a strict list of rules without understanding why they are in place cannot deal with unexpected situations. Even people who make every effort to follow rules to the letter can have trouble when they run into something that the rules do not cover. Nobody can hope to think of every problem that could possibly happen when they write a list of rules, so this problem is inevitable.

Of course, not everybody is going to follow the rules perfectly. People tend to ignore rules that they think are arbitrary. This can make it hard to achieve perfect compliance without teaching employees why the rules matter. Any company that takes the time to explain why each rule is relevant can probably get better results by teaching a broader understanding of information security issues.

Why Security Awareness Training and Education is Important?

/1 Comment/in /by

Keeping up with the changing modern security landscape, by providing Security Awareness Training and Education (SATE), is vital to business owners. Not only do professionals need to stay on top of potential security threats on the outside, but also within the company. When employees have access to all types of data, business owners need to make sure to optimize their security approach. This is crucial in protecting the company’s information and assets. In today’s modern age, the introduction of cyberspace has revolutionized business processes. Unfortunately, this has also opened up companies to a variety of concerns, including phishing and information leaks. Therefore, the right Security Awareness Training and Education (SATE), sometimes called Cyber Awareness Training, is paramount to the success of the business. 


Security is Never Guaranteed 

Taking the extra steps to move towards comprehensive and reliability human security is a must because the company’s security is almost never guaranteed. The behavior of the company’s employees will always affect information and data breaches. Many business owners were surprised to learn that so many threats from the inside could occur as a result of accidental information breaches. While employee mistakes may be the biggest source of data breaches in the country, it is also one of the best ways to prevent outright losses as well. Everything begins and ends with the company’s employees.  It is up to business owners to educate employees with proper Cyber Awareness Training. 

Practicing Awareness 

It is just not feasible to turn system processes off. Connectivity is a must in today’s day and age. However, it can be made easy to train employees in practicing proper security awareness. One of the best ways to improve long-term information security and protect the company from malware and other internal threats is to invest in good Security Awareness Training and Education (SATE). The right educational processes can have a tremendously positive effect on your business. Even more so if business owners have a smaller group that focuses on security. 

Awareness is the Law 

Staying aware of potential security risks is not just an important aspect of managing the company. Moreover, it is a legal requirement. There are numerous regulations that require for business owners to stay on top of their cyber security. Even more so, if business owners work in a certain sector. Examples include the federal government, the healthcare industry or any variety of financial institutions. Investing in the appropriate cyber security training can allow professionals to avoid potential legal issues as well as company breach problems. Staying on top of the security basics allows owners to hedge their business investment against all types of long-term problems and concerns. 

Applying Training Programs 

In order to successfully transition from a weaker cyber security model into a stronger ones. It is crucial for business owners to organize application-specific training and general support system training for the business. These procedures assure that business owners improve overall awareness. They also specify exact programs and procedures as they apply to the company. Additionally, refreshers make sure that that employees keep up with technological changes in the workplace.

Starting a successful Security Awareness Training and Education (SATE) program starts with a few easy steps.