In the past decade, cybersecurity has steadily worked its way into the global consciousness. What used to be relegated to technology professionals is now something the average individual hears about on a monthly basis as some new breach or cyber-attack makes the news. Just in the past two years, we’ve seen countless schools come to a grinding halt as a result of ransomware attacks, a significant security incident at Twitter leading to the compromise of high-profile user accounts, and a week-long shutdown of a major American gas pipeline.
What usually doesn’t get mentioned in these headlines, however, is the cause of the attack. As a result, the general public is forced to assume that hackers have some super-powerful technological capabilities beyond what they could ever comprehend. As an ethical hacker, I can attest to the fact that compromising an organization’s technology requires some impressive skills. But do you know what is much easier than exploiting technological vulnerabilities? Exploiting people. Using social engineering, cybercriminals (and red teamers) can forgo the time, patience, and technical knowledge needed to bypass a company’s technological defenses and gain an “in” to their target by playing to people’s wants and needs. As such, it is no surprise that upwards of 70% of breaches are the result of social engineering.
Acutely aware of the vulnerability posed by their own workforce, companies have increased their investments in cybersecurity training. However, this training does not seem as effective as desired. Despite 85% of employees in the US and UK participating in training, one-third of them do not grasp the importance of cybersecurity and 30% do not believe that they make a personal impact on their company’s cybersecurity. Clearly, cybersecurity campaigns do not work. The million-dollar question is why?
While many blame boring training, engaging and gamified campaigns don’t seem to make a significant difference. As someone who has been on both sides of awareness campaigns – the person responsible for developing an employer’s campaign and an employee required to complete the training – I firmly believe that we don’t give people a reason to care about cybersecurity. These trainings focus on recognizing security risks, following company policies, and adopting cybersecurity practices. Although these are all necessary points, the trainings don’t cover why cybersecurity practices are important, at least not beyond the vague “this can give attackers a way into your organization” or “you’ll get hacked”. In order for rules to have any effect, the consequences need to be clear.
Of course, those of us in the cybersecurity industry are intimately familiar with the consequences of poor security practices. Opening a malicious file can lead to remote code execution, allowing an attacker to deploy ransomware and bringing a company to its knees. Logging into a phishing site gives malicious actors your credentials which can then be used to access company data to be sold. To us, the risks are clear. When we tell children to look both ways before crossing a street, we assume that the reason is obvious – you may miss an oncoming car and be run over. However, to a person without the necessary context, this guidance seems arbitrary.
There are those who hesitate to explicitly provide the context lest they scare end users, but honestly, users should be scared. Cyber attacks are scary, not just if you’re responsible for incident response, but also if you get to work in the morning and see that you can’t do your job. Not to mention that the impact of a security incident may go beyond your work life. If attackers access HR records, it is safe to assume that the forms you completed when accepting your job are being reviewed for your name, address, and social security number. Very quickly, a case of a company breach can become an individual issue of identity theft. And if you ask any victim of identity theft, they will definitely tell you that it is very scary. Unfortunately, these real-life consequences are rarely, if ever, presented in training.
I find this reluctance to clarify the effects of a cyber attack to be quite baffling, as it is counter to most every other part of life. Consider physical security: many of us lock our doors when we aren’t home to protect against robbery. However, those who live in quiet or safe communities, who don’t have a fear of burglars, maybe laxer with their home security. Without knowledge of the risk and reasonable fear, security controls, both physical and digital, mean nothing.
Other awareness campaigns know the power of showing the consequences.
Drunk driving campaigns typically share tragic stories of drunk drivers, as do campaigns instructing drivers not to text while driving. No one would argue that these campaigns instill unreasonable fear – hurting (or worse, killing) someone because you acted recklessly is very scary. Fear can be used as a manipulative sales tactic, but when the exact risk is explained and people realize they have skin in the game, people have an innate desire to protect themselves.
Until cybersecurity training adopts the technique of educating users on exactly what cybersecurity practices prevent and how attacks impact them, social engineering will remain the most common attack vector for company breaches.