The SolarWinds attacks at the end of last year have led to various areas for debate and discussion, ranging from how to enhance supply chain security to dealing with the growing boldness and sophistication of nation state actors.
The security practices and behaviors of individual staff has also now been highlighted in relation to this incident when it emerged recently that, back in 2017, an intern at SolarWinds created a weak FTP server password – solarwinds123 – and leaked it on GitHub. This was discovered on the public internet by an independent security researcher in 2019, who warned SolarWinds that the leak had exposed a SolarWinds file server.
Whether this contributed to the now notorious attacks of late 2020 is unclear, but it has brought into sharp focus the problems posed by a lack of basic security hygiene among employees, even in high profile tech firms.
To discuss the role of staff in keeping organizations secure and how organizations should deal with insecure practices, Infosecurity spoke with Sai Venkataraman, co-founder and CEO of security awareness training firm SecurityAdvisor.
What was your first reaction when you saw that SolarWinds recently revealed that an intern had created a weak FTP server password and leaked it on GitHub, something that has been pointed to as a potential factor in the breach?
I understand and agree that employees have a certain level of accountability when it comes to their role in the organization’s broader security strategy. However, putting all the blame on one employee – especially an intern – is unacceptable. Organizations need to provide employees with relevant insight and knowledge that is specific to each user’s habits so that they can help to prevent these types of breaches from occurring. We know that 90% of security incidents stem from human error, meaning organizations need to put personalized and relevant employee engagement as the top priority in their broader cybersecurity strategy.
Do you believe there is still a strong tendency to blame individual staff for mistakes that lead to breaches by organizations? If so, what can the cybersecurity community do to help change this mindset?
Companies are quick to point fingers when it comes to data security. However, placing the blame on the employee is ineffective, and can deter them from self-reporting future incidents when they occur. While human actions account for the vast majority of all security incidents, organizations can benefit greatly from continually teaching employees about new cybersecurity threats and their role in protecting the organization.
Employees are a key component to businesses’ security postures but are not infallible. Workers must be supported – both in education and by their employers’ security stack – to identify and remediate cyber-attacks. Security awareness initiatives need to be integrated with cybersecurity investments companies are making. Security awareness managers cannot work in isolation. Overall, the cybersecurity community needs to provide the right tools and resources to ensure users understand the risk and have the knowledge to make actionable decisions in protecting the organization’s most sensitive information and data. Many organizations are already looking to augment their cultures to that of personal responsibility, so that cybersecurity responsibility no longer rests solely in the CIO’s or CISO’s department.
What should organizations do to build a culture of early reporting of security incidents throughout their workforce?
Rather than placing blame on the employee, organizations should regard them as allies and place their focus on fortifying their workforce. Employees serve as the frontline defense to protect an organization from cyber-attacks, but often need support to identify and remediate threats before they become issues. Providing clear guidance, ideally in real-time as employees engage with risky websites or applications or links, on how to identify and remediate sophisticated cyber-threats is a critical component to augmenting risky behaviors and ultimately improving an organization’s overall security posture. Offering real-time feedback on users’ risky behaviors is proven to increase retention and positively change behavior over time.
“Rather than placing blame on the employee, organizations should regard them as allies and place their focus on fortifying their workforce”
What areas in particular should organizations be focusing their security awareness programs on in the current threat landscape?
We know that phishing attempts are one of the most widely used methods for entering an organization’s network, and that’s because they are proven to work. Over time, phishing attacks and cyber-criminals have become more and more sophisticated with the ability to replicate and personalize attempts, easily tricking the end user into compromising credentials or clicking on malicious links. In today’s ever-evolving threat landscape, organizations need to arm employees with the right tools to combat these new-age threats. Attacks are now incredibly personalized, but our response is not. It’s hard to solve today’s security awareness problems with yesterday’s tools. To set employees up for success, organizations must offer real-time, personalized learning that is tailored to their unique security behaviors. This type of learning is more digestible and effective, allowing users to adopt techniques and adapt habits overtime.
How can organizations ensure awareness training is effective in the context of home working during COVID-19? Are there any examples you can describe?
Employees are no longer protected with the same on-premises systems and support they once had in the office setting. Now, more than ever, its crucial to fortify employees with the relevant and personalized knowledge based on individual behaviors and habits. By helping employees identify and remediate cyber-attacks, organizations can strengthen the overall broader business cybersecurity strategy, starting with the first line of defense: their people.
Are you seeing signs that organizations are becoming more aware of the need to improve user awareness training following the experiences of the past year?
Yes, the disruption caused by the pandemic and the immediate need to move all workers to a remote environment greatly impacted the push towards more effective employee security awareness training. Gone are the days where organizations can gather dozens of people into a windowless office and perform a compliance-mandated security training, which is largely wasteful and ineffective. In our new work environment, organizations need to adapt their training methodology to their remote or hybrid workforce, who are now spread out and connecting to company systems through the internet to work online and, often, engage in personal work. As businesses make critical data available on cloud platforms to accommodate people working from anywhere, the vast majority of data breaches will continue to be caused by employees, no matter how unintentional.
Legacy approaches to security awareness training are not effective, especially in this new environment. Not only do employees gradually forget the lessons they learned in these seminars, but it’s also difficult to track individual employees’ progress. A more effective approach to user awareness training is to deliver personalized advice to each employee at the exact moment they engage in risky behavior. By leveraging existing security and IT tools, HR systems and Active Directory, organizations can gather data about an individual employee’s risk profile, role and awareness needs for personalized coaching. With personalized coaching, companies can identify at-risk employees and better tailor their training towards today’s real-life malware and attack variants.