Myth busted: Policies and training will not automatically fix security issues
On the surface, adjusting an organization’s security posture, including better enforcement and employee training, is a solid fix to security issues. There are few security leaders who would deny that user training is not only important -- it’s critical. But much like other security needs, relying on a few different techniques and tools just isn’t enough.
“It’s true the weakest link in the cybersecurity chain is the user,” said John Riggi of BDO Consulting. “A common way for adversaries to gain access to a network is through email. It’s hard to tell the difference between legitimate emails and fake ones.”
[See them all: 10 stubborn cybersecurity myths, busted]
Employee training and awareness is critical, he added. “You need a culture of information security in your organization. Great protection is when the C-suite understands this risk and emphasizes it within the organization.”
Humans, after all, are prone to make mistakes. “But the idea of just educating the user and not investing in an in-depth defense strategy with proper controls, monitoring and the like is a formula for disaster,” said CynergisTek CEO Mac McMillan. “Policy and education alone doesn’t stop anything. There are ways around it with an authorized user.”
The examples of hackers getting in through a user are endless and many times these organizations have education tools in place. New York’s Kaleida Health had to notify its patients not once -- but twice -- that their personal health information was compromised in two separate, successful phishing attacks just one month apart.
"A common security misnomer that I see ... is the idea that a good security solution in one area justifies a trade-off or being more lax in another."
Troy Gill, App River
Further, for the first half of the year, insiders were responsible for 91 breaches or 41 percent. In fact, the largest breach so far in 2017 was caused by a malicious insider who obtained the personal information of 160,000 Med Center Health patients in Bowling Green, Kentucky.
The breach highlights an important issue: Humans will act on their own free will, even with education and policies in place.
And consider this: It’s common sense to most of the population to avoid suspicious emails. But what happens when those emails are so well-crafted that there’s no way to tell the difference between a legitimate email and a malicious one?
User training programs such as phishing-as-service campaigns, aren’t designed to be the only means to fully secure a network, said Troy Gill, Manager of Security Research for AppRiver.
“A common security misnomer that I see all the time is the idea that a good security solution in one area justifies a trade-off or being more lax in another,” Gill said.
The entry point for many of these successful breaches was a cleverly crafted email or social engineering attack. Hackers are truly stepping up their sophistication when launching these ransomware and phishing campaigns.
For example, a new ransomware campaign was discovered in August targeting the healthcare industry. What makes it notable was the smaller targeted approach the hackers took: Customized emails intended to lure the victims into clicking. The emails went as far as to add company logos and write as the director of information management and technology from the hospital.
The hackers poached the names of intended victims from distribution lists, like group chats and web support.
It’s also important to note that education doesn’t eliminate risk, as a great number of attacks are launched using vulnerabilities for which most users don’t have access, like medical devices.
“Leaders need to take an inventory of the IT assets, through a process of interviewing within the enterprise to determine the data being used, the programs using the data and how it moves through the organization,” said Judy Selby, senior advisor at Hanover Stone Partners.
By using data mapping, an organization can determine the assets held within an organization, understand the networks within the enterprise and how the data moves within it. It’s a lot like plumbing in a house: You have to know where the pipes go and how the water flows, Selby said.
“Employees are the weakest link, but it’s not everything,” said CEO and President of Identity Theft Resource Center Eva Velasquez.
Much like water takes the path of least resistance, hackers are constantly looking for the weakest link. So even if you shore up the risk of your employees, there are many other ways for cybercriminals to gain access.
Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com