Cybersecurity remains a top priority for companies in all industries. The reason is clear. Criminals and other parties have access to inexpensive tools and training to attack companies and governments. The New York Times reported on the rise of ransomware earlier in 2015. This type of malicious software encrypts a user’s data and demands a payment to release it (or the data will be destroyed).
Many companies are deploying greater resources to turn the tide of hackers: Google has a team of 10 full time hackers working to eliminate flaws. Given these threats, executives and technology leaders are asking for best practices and technologies. Developing security awareness in staff, growing security professionals and equipping CIOs to monitor security remain vital components to a successful security management strategy.
The next wave of security testing: send phishing emails to employees
The capabilities and knowledge of your organization’s customers and nontechnical staff has one been one of the greatest cybersecurity threats. The ability to persuade people and defeat security measures is known under the broad heading of social engineering. Social engineering tactics – specifically phishing emails – were at the core of the 2011 RSA SecurID breach which shook confidence in security across the world. As that incident shows, even highly respected firms and security technologies are vulnerable to social engineering threats. Leading companies use several approaches to mitigate the risk.
“At Cisco, we have comprehensive training program that addresses information security,” commented Patrick Harbauer, technical Lead for the Neohapsis PCI DSS services practiceat Cisco Systems. “Annual training and computer based testing is a key part of our practice to equip our staff with the skills to detect and avoid phishing and similar information security threats,” Harbauer says.
“Recently, our organization began testing the effectiveness of our training by sending out phishing emails to see if staff fell for them. I actually received one of these test emails – supposedly concerning Amazon Prime – and it was difficult to detect!” Testing the effectiveness of security training is becoming more important because the old guidance to detect phishing emails – e.g. lack of company logos or poor grammar – is less effective. “Many phishing emails today use code, images and other material lifted directly from a company’s website so they appear to be legitimate,” says Harbauer.
“At Lockheed Martin, our security approach includes monitoring for high risk behavior flags. These flags are then investigated by a specialized team. For example, if an employee suddenly starts logging into the company network at 3am where they previously never did so, that would raise a flag,” comments Angela Heise, vice president, commercial markets at Lockheed Martin. “Of course, that person could have decided to check email after taking care of a young child in the night, so judgement is required to evaluate these flags,” she says.
Sign up for CIO Asia eNewsletters.