In the world of modern cybersecurity, experts are always looking to identify and mitigate what are known as Advanced Persistent Threats (APTs). What cybersecurity professionals know that most organizations don’t is that APTs aren’t always what you think they are.
It’s often stated that the most dangerous device on your network is organic. That includes you, me, your parents, your kids and your—wait for it—employees.
And now that the threat landscape is expanding as fast as the current COVID-19 pandemic, there is even greater risk of a security incident stemming from human error.
In all the incident response and destructive breach cases I’ve been a part of, aware of, or have studied, the vast majority originated internally through phishing, poor decisions, lack of visibility, lack of leadership, and non-existent awareness training programs. That’s correct, there was an “organic device” that was the weakest link. This doesn’t mean our “organic devices”—also known people—are idiots. From a business context, this actually means that we’ve failed; we as leaders have dropped the ball.
Unfortunately, attackers are taking advantage of the current pandemic to attack your people and prey on their growing vulnerable state.
Attacking this problem head on begins with awareness training. Just to confirm, awareness training is not just giving employees access to training software (no offense to the great awareness software programs out there). Awareness training is a full program that includes great software along with in-person training, then testing, retraining, more testing and more training.
Remember, if you don’t invest in your employees, someone else will.
As a sales and marketing leader, I usually see this statement as it relates to employee retention. Now, think of it in the context of data retention and reputation. If you’re taking shortcuts with your employee cybersecurity awareness training, or you're not investing in proper training altogether, I guarantee you that the cyber-criminals will invest in manipulating or training your employees to act on their behalf. The scariest part is; without proper training, your employees may not even realize what is happening, and it could happen without you or your IT team ever seeing it on the radar.
I’ve witnessed a lot of credentialed access provided through the simple manipulation of people with the best intentions. For example, a company official who wire transferred a large sum of money to an account they thought was perfectly legitimate. And it all started when the cyber-criminal watched for trends, then social engineered the company official to convince them that they were someone they were not. This all could have been stopped with a “trust but verify” approach. One call could have saved thousands, tens of thousands, or millions of dollars. Training, testing, training, rinse and repeat.
It’s also important to remember that while your people may stop working for you at the end of the day, cyber-criminals, bad actors and rogue government agencies don’t ever stop working on them... Day, night and especially working from home.
Of course, there’s more to protecting data than training your internal, organic APTs. Within any compliance framework, there are recommended (and often required) sets of policies, procedures and controls. In most cases these are complex statements around how exactly you are protecting critical data, privacy and infrastructure. But all the policies, procedures and controls in the world are meaningless if they’re not aligned to your business, put into practice, tested, and enforced.
What’s your data access policy (or control)? Is it current? Has it been tested? Have you enforced it? Are you 100% sure you don’t have former employees with unrestricted access to critical data? Does it align with new work from home requirements?
In many cases, cyber-criminals know the answers to these questions better than you do. That’s why your people are the ultimate organic APT.
Side note: Because I’m focusing on your people/employees today, I won’t even ask about the vendors who may have access to your data, and what you really know about them (you can watch our video on Supply Chain Risk for more information).
We all know that cybersecurity is now a business initiative, no longer relegated to the IT department. So, if you’re a “C-Suite” executive, or corporate board member, you may not be involved in your company’s executable cybersecurity agenda at a granular level, but you have to lead the charge. After all, it's your company at stake and you are the person most likely to take the heat if data is compromised.
To learn more about IGI's Security Awareness Training, vCISO, Compliance Readiness Assessments, Incident Response, or other cybersecurity services, contact firstname.lastname@example.org.