- Educate end users on the reasons behind corporate security policies and the nature of social engineering to help reduce risky behavior.
- Ensure end users understand corporate policies around the use of personal smartphones and tablets for accessing corporate resources.
With this year’s huge rise in the awareness of advanced persistent threats (APTs), now would be a good time to focus on educating employees not only about corporate policies and government mandates, but also about the growing risk that these APTs pose to the organization. By educating end users about the reasons behind the policies, as well as the nature of such attacks, security professionals can get better buy-in from those end users, increasing the likelihood of changing risky end user behavior. Given the focus of these APTs on gaining entry through more sophisticated spear phishing attempts, encouraging a heightened vigilance among end users could be an additional tool in the security practitioner’s toolbox. With attackers’ proclivity for identifying users within the organization which have the credentials to access systems with sensitive data, and then sending e-mails that appear to be legitimate and contain links to sites with malicious code or attached documents infected with malware, end users become the weak link in the chain of trust. In addition, the combination of the growing BYOD phenomenon and the upcoming Christmas shopping season makes this an ideal time to remind end users of the dangers of careless Internet usage as well as corporate policies regarding smartphones and tablets.
One only needs to go down the list of this year’s well-publicized breaches (i.e., RSA, Oak Ridge National Labs, HBGary Federal; not to mention the 72 unnamed companies in McAfee’s Shady RAT report) to understand that APTs are on the rise. Many of those attacks start with spear phishing e-mails that manipulate the end user via social engineering tricks. While threat management vendors are moving to address the holes in their security offerings exploited in later stages of APT attacks and enterprises are looking for new tools to add to their arsenal such as forensics and analytics, end users can and should be a part of the defense.
Check Point got it right in its 3D Security initiative, which stresses the integration of policy, people, and enforcement. When it comes to the people part, Check Point believes end users need to be engaged and educated on security policy enforcement. In its URL filtering and application control software blades, Check Point provides a UserCheck feature, which includes a pop-up warning whenever a user is about to do something to violate a policy. The warning explains why the action violates policy, gives them a heads up that their actions are being monitored, and provides them with an opportunity to explain why a particular action should be exempted from the policy (for good business reasons).
In a survey of 2,400 IT security practitioners done earlier this year for Check Point, the company learned that 48.8% believe their organizations’ employees have little or no awareness about their data protection or corporate policies. With the attack on intellectual property and anything else of value turning into an all-out war, that kind of ignorance is really not an option any more.
Check Point’s own internal approach includes requiring new hires to read over specific security information; then, before gaining access to the corporate network, they must correctly answer 20 online questions. While that has overtones of Big Brother attached to it, it does also convey the gravity of the policies put in place to prevent data breaches and compliance violations.
The BYOD phenomenon also increases the importance of proactively educating users about corporate policies related to the usage of those devices for work purposes or for connecting to the corporate network. In its fourth annual “Shopping on the Job Survey,” ISACA found that online shoppers intend to spend an average of 32 hours shopping online this holiday season, and half of those hours will be on a work-supplied device or a personal device also used for work. Security practitioners may want to consider sending an e-mail blast to employees before Black Friday rolls around reminding them what those policies are, in addition to sharing with them ISACA’s tips for end users:
- Understand the policies for connecting to corporate networks.
- Understand what happens if your organization considers your device a security risk.
- Follow ISACA’s five-step “ROUTE” for geolocation.
- Enable security features, including encryption and passcodes.
- Ensure you have current operating systems and updates.