Cyber security awareness still in its infancy, says Sans Institute

Cyber security awareness is still in its infancy in most organisations despite the quick returns it can deliver, says the Sans Institute

Cyber security awareness is still in its infancy in most organisations despite the quick returns it can deliver, says security training and certification body the Sans Institute.

Although the UK is among the leading countries in this regard in Europe, it still has a long way to go, according to training director for the Sans Securing The Human Program Lance Spitzner.

“Norway is the clear leader in Europe and even internationally, with around 30 government organisations taking the lead on security awareness training a few years back,” he told Computer Weekly.

Information security awareness was almost unheard of three years ago, but this is beginning to change, according to Spitzner.

“We are starting to see increased interest, but mainly from the financial, government, defence and manufacturing sectors, because they have the most to lose from being hacked,” he said.

Despite also being prime targets for cyber attackers, the hospitality, healthcare and retail sectors are still lagging behind in most parts of the world.

More on cyber security awareness

However, in a recent information security training session in London, Spitzner said a fairly wide spread of industry sectors were represented.

The human factor in cyber security

“Understanding of the importance of the human factor in information security is now at the level that understanding of the importance of cyber security in general was about five years ago,” he said.

While organisations nowadays tend to apply technical security controls to computer systems, they typically do little or nothing to help secure the behaviour of the people responsible for data.

“This lack of attention to people means they remain the easiest way for attackers to infect targeted computer systems through phishing and other social engineering attacks,” said Spitzner.

“But in the past, information security professionals have failed to educate users about the risks and have tended to blame them when things go wrong,” he said.

According to security firm Trend Micro, around 95% of so-called advanced cyber attacks on organisations are enabled by manipulating people to do something like download malware.

“This is why it is important for all organisations of all sizes to recognise the importance and benefits of security awareness training,” said Spitzner.

“For example, organisations where previously 40% to 60% of employees have clicked on a link in a test phishing email have now seen that drop to less than 5% six months later, after awareness training on phishing,” he said.

Cyber security for small-and-medium-sized organisations

Small-and-medium-sized organisations need to be just as concerned about security awareness training as large organisations, said Spitzner, because they are just as likely to be targeted by cyber attacks.

“Small businesses and their employees tend not to realise they are targets. They think because their business has antivirus and perhaps some other security controls in place, they are safe.

“They also tend to have the mistaken belief that because they are small, they do not have any information that will be of interest to hackers and they are therefore unlikely to be attacked,” he said.

Sans Institute has produced a downloadable poster in 20 languages that outlines why individuals are a target for cyber attackers.

By focusing on how people can protect their own email accounts and mobile devices, they are more likely to understand the importance of secure behaviour and apply lessons at home and at work

Lance Spitzner, Sans Institute

“The poster shows how cyber attackers can make money out of hacking individuals, with user credentials being a primary target,” said Spitzner.

“Once individuals are compromised, attackers can access corporate systems, can hijack computers and web servers for botnets, and can commit fraud using stolen online identities,” he added.

Smaller organisations also need to understand they are increasingly likely to be targeted as suppliers to larger organisations, according to Spitzner.

“The recent compromise of the US retailer Target, for example, was enabled by first compromising a much smaller company that maintained the stores’ air-conditioning units,” he said.  

While small-to-medium-sized organisations typically lack the resources of larger organisations, Spitzner said there are still things they can do.

“First, it is important to ensure all employees understand they can be targeted and have a role to play in keeping the organisation safe from cyber attacks,” he said.

Second, Spitzner added, organisations can help raise security awareness by distributing security newsletters such as the one produced in 25 languages each month by the Sans Institute.

“These security awareness newsletters are developed by security experts and are available for free download by organisations that do not have the resources to produce their own,” he said.

There are also a host of materials that have been developed specifically for UK-based small-and-medium-enterprises (SMEs), available through the government-backed Cyber Streetwise and GetSafeOnline websites.

PCI SSC security guide

The Payment Card Industry Security Standards Council (PCI SSC) also recently published a guide to help organisations better educate employees on information security.

Specifically, the guide aims to help organisations educate staff on protecting sensitive payment-card data, which is increasingly being targeted by cyber criminals.

The best way to tackle cyber security awareness, said Spitzner, is to highlight how individuals can protect themselves from cyber criminals in their private lives.

“Most employees use the same or similar technology at home as they do at work and they face the same attack methods in both environments.

“By focusing on how people can protect their own email accounts and mobile devices, they are more likely to understand the importance of secure behaviour and apply lessons at home and at work,” he said.

Spitzner also recommends organisations focus on the basics and reduce risk by describing how individuals and the organisation could be compromised.

In the past few years, he has helped develop and implement numerous multi-cultural security awareness programmes around the world for organisations as small as 50 employees and as large as 100,000.

Read more on Security policy and user awareness