You’re probably already aware that the most pressing cybersecurity issue is finding ways to keep end users from succumbing to social engineering attacks. Let me tell you quick a story about one of our efforts to stem the tide. It involves dozens of state legislators from the United States, a really cool guy named Reggie Tompkins and a lost Norelco electric shaver.
A couple of months ago, the U.S. state senators who run the National Conference of State Legislatures (NCSL) realized that they needed to focus on cybersecurity. When they first requested a presentation, they said they knew they were targets for various state actors and gangs, simply because their email addresses end in “.gov.” They’re right. I’ve heard the same thing at a corporate round table and from the British Army and Indian Army.
So, in addition to hearing reports from various state chief information security officers (CISOs), the senators asked CompTIA and IBM to provide additional thoughts about cybersecurity awareness and the skills employees need in the workplace.
That’s how I met Mr. Tompkins. He works for IBM, helping state governments and health care companies put security solutions in place. A couple of months ago, he and I began planning our mid-May presentation. It was a ton of fun – we made the presentation very interactive. In addition to the selfie we took, we were able to discuss essential end-user security awareness steps.
5 Steps for End-user Security Awareness
- Find regular opportunities to improve end-user resilience to social engineering: Don’t just train during onboarding or once a year. Create teachable moments at least quarterly.
- Be patient, but hold end users accountable: No one wants to become the cybersecurity police. But at some point, it’s necessary to remember the early ethos of the internet: We’re all responsible for making this thing work.
- Protect end users with a layered approach to security: We’ve heard a lot about layered security over the years, but usually, it’s not in the context of end-user security. All of the backups, network segmentation and monitoring are really here to protect data and end users.
- Reduce choice: With the myriad devices that folks are bringing into the workplace, sometimes it’s necessary to allow a “BYOD minus” policy. It’s tough these days to restrict end users. But, our case was helped by a serendipitous development. Just the day before, IBM had banned all removable storage for its employees!
- Implement multifactor authentication: It’s much easier to secure data and end users if you’re able to get beyond the simple password. The days of single-factor authentication are coming to a close.
We capped off a terrific series of presentations that highlighted the importance of layered security. Bo Reese, chief information officer of Oklahoma, said he is confident that 53% of his systems are under constant attack, mostly from internal employees. He did not place blame on disgruntled workers, but on social engineering. He then said he found that the remainder of attacks originated from outside the United States.
Deborah Blyth, Colorado’s chief information security officer, then discussed the major ransomware outbreak the state experienced in February. She was careful to note that it originated from a duped end user and some issues with initial containment.
It was fascinating to hear her talk about how she, the Colorado Department of Transportation (which had been hit by ransomware earlier in the year), the FBI and the U.S. Federal Emergency Management Agency (FEMA) were all able to stand up incident control centers to help minimize damage and recover from the attack.
According to the presentations, essential IT and security employees need the ability to implement four things:
- Backup: This is the major step that saved Colorado. Ms. Blyth noted that its 2017 Backup Colorado campaign had put a robust set of backups in place. She said that if those hadn’t been in place, no meaningful, timely response would have been possible.
- Network segmentation: The presenters didn’t use the term resilience, because that’s an overly technical term that state legislators would ignore. But, it was clear that state CISOs have been implementing virtual local area network (VLAN)-based segmentation, as well as some software defined networking (SDN) moves.
- Multifactor authentication: More states are implementing two-factor authentication to protect end users, in addition to server and cloud resources.
- Continuous security analytics monitoring: It’s not enough to backup, segment and authenticate. It’s also necessary to monitor, often with third-party employees.
But, none of these things replace end-user awareness training. It’s the most important part of a layered security plan. Today, we’re seeing an increase in problems such as fileless attacks, which is where attackers use software tools that are simply just lying around. It’s all the more important, then, for end users to be educated in responsible behavior.
Near the end of our discussion with the state senators, we began discussing some of the close calls – Thomas Alexander, a North Carolina state senator called it a close shave – they have had with social engineering, both personally and with their staff and colleagues. When Sen. Alexander made his remarks, I suddenly remembered that I had checked out and left my shaving kit back at the hotel.
Alas, I called the hotel, but no one could find it. Well, there it goes. Another sacrifice to the travel gods. I’ve left a suit jacket in India, a belt and headphones in London, and a power adapter in Abu Dhabi. And now my beloved shaving kit, complete with a Star Trek pin from my daughter-in-law. Oh well.
But at least this time, I can weave it into a positive experience: Without focusing on end-user security, governments all over the world would be in for a lot of close shaves.
In spite of my tragic loss, Reggie and I had a great time talking with legislators from California, South Carolina, Rhode Island, Texas, Oregon, Washington, Florida and elsewhere. It was a fun opportunity to build awareness for quality end-user training at the state government level. I love being able to get the message out on a top-down basis.
Whether you're a novice end user or the one training them, CompTIA has a certification for you. Find out which CompTIA certification is best for you.
