Compliance Services

End User Security Training

The Human Factor in Preventing Data Breaches – Security Training

There are several programs an IT professional can implement to make their organization’s IT infrastructure less vulnerable to a cyber attack. However, recent evidence indicates an educated user base may be the best line of defense, making security training essential for companies. According to the 2018 Cost of Data Breach, a study conducted by Ponemon Institute, 25% of data breaches in the U.S. are triggered by human error. These errors include misdirected email, failure to delete sensitive data when finished using it properly. Intentional but non-malicious actions by staff, such as permitting unauthorized access, data disclosure to a trusted colleague or friend, or merely snooping is an avoidable source of breaches. An additional 30% of data breaches come as the result of “Social Engineering.” Social engineering breaches are efforts by hackers to manipulate unwitting users to provide credentials to allow illegal access to a secure system.

Social Engineering Techniques

There are several techniques hackers use to get a user to provide information, making security training essential. Some of the most common forms are:

Most of us have seen phishing attacks, which are usually emails supposedly from social web sites (such as Facebook), financial institutions (such as banks or credit card companies), IT organizations (such as Microsoft or Google), or even the Government. The emails typically ask a user to call, email, or text the organization (which is fake contact information, redirecting the user to the hacker), “to confirm their identity” by providing a username and password. While some of these attacks are laughably crude, full of misspellings and poor grammar, phishing attacks are becoming increasingly sophisticated.
Spear Phishing takes the phishing concept to a higher level. The primary difference is that spear phishing is directed at a specific target individual or organization. In this case, the attacker researches the target, gathering publicly gleaned information. The attacker uses that information to send a sophisticated and believable email with the intent to get the unsuspecting user to provide login credentials or download malware. The email may profess to come from an executive or loved one seeking help or providing directions. A sophisticated spear-phishing attack is challenging to defend against by an untrained user. In 2016, an employee of Snapchat sent sensitive financial data to a spear phisher, masquerading as the company’s CEO. Spear phishing scams are estimated to cost organizations about $1 billion per year.
Most people have seen the physical form of this scam used on television. A private eye gets a hotel room number by pretending to be a friend of the person, for example. In the IT world, a hacker may hold a small bit of information about a target, such as the last for digits of their social security number or their birth date. The hacker uses this information to get more information, such as bank credentials, credit card numbers, or a full social security number.

Rogue software is software that masquerades as free anti-virus or anti-spyware applications that do the opposite of their claims. Organizations usually combat rogue software applications with security elements such as next-gen endpoint protection and managed firewall services. However, home computers and laptops may be susceptible, and their users may unwittingly spread viruses into the organization.

A quid pro quo attack is often as part of a phishing or spear-phishing attack. As the name implies, a quid pro quo attack typically offers something (such as a “quick” bug fix or security patch), in exchange for something from the user (such as login credentials “to permit remote access” or brief shutoff on an anti-virus application). The offeror typically poses as a help desk worker from an IT firm or may assume the identity of an IT professional within their organization.
Long the most tried and true method of scamming individuals, baiting, as the word implies, entails dangling bait in front of a user to get them to “bite,” or take an action that allows the malware to enter an IT environment. Like phishing, baiting can be general and undirected, or sophisticated and targeted at a specific individual or organization. Baiting also comes in the form of an enticement (such as pornography or offers of money) or threats (such as fictitious impending legal action or actual blackmail).

ETTE Can Help

ETTE, through its partner company Wizer, provides some of the most effective security awareness training available. The online security training course is engaging, easy to incorporate into your IT environment, and strongly supported at both the user and technical level.

As everyone knows, the most effective training program is one where trainees must use their gained knowledge regularly following the training. Our training program does just that. Following the completion of security awareness training, the organization’s managers and IT professionals can create drills to test user’s security awareness. These drills create simulated phishing emails and other social engineering attacks to confirm users know their training. The organization can schedule users that are successfully phished for further instruction.

As can be seen from the graph below, studies on the effectiveness training typically show a 50% improvement in phishing-resistant staff immediately following exercise. However, our program obtains the most dramatic results (over a 90% resistance improvement after one year) resulting from regular use of the learned knowledge that attack simulations provide.

a bar graph showing the initial baseline phish-prone percentage being avg 27% going down to 13% at the end of training
Phish-prone percentage over a 12 months period based on 6 million users, the initial phish-prone baseline is 27% for month 1 the start of the training period, and by month 3 the end of the training period the phish-prone percentage is 13%. By month 12 the average is 2.17%

ETTE can provide your users with a variety of security training of different levels of sophistication. As part of our philosophy not to oversell redundant systems, we will perform a comprehensive analysis of your organization’s actual needs. This analysis considers your requirements for security, user base, and budget to determine the level of training most appropriate for your organization. Our per-user subscription model means your staff can take classes from home as well as in the workplace. They may review course material at any time. Motivated staffers may take additional courses which may not be part of the organization’s official training program, but are part of the subscription package. Need more information? Contact us today!: