Hackers routinely target employees to achieve their nefarious ends. Research from CEB, now part of Gartner, found that employee mistakes—such as falling for phishing attacks or reusing passwords across sites—cause half of breaches. Because of this, training employees to reduce mistakes is a staple of every security program. In fact, the average large company has increased spend on awareness by 50% in just the last two years.
At the same time as awareness training has increased, security teams have expanded their objectives beyond just preventing breaches to be reliably detecting and responding to them. In response to that expansion, the most progressive CISOs are training employees differently.
Where conventional awareness programs seek to reduce employee mistakes, these CISOs seek to enlist employees as part of information security’s machinery to detect breaches by watching for suspicious activity and reporting it to security.
Research shows that employees are already doing this. According to the 2014 Verizon Data Breach Report: “…over the years we’ve done this research, users have discovered more breaches than any other internal process or technology.” Another survey of CISOs by CEB, now part of Gartner, found that two-thirds agreed with this observation. However, given that almost all advanced attacks still begin with a phishing email, employees need help to detect breaches more consistently.
There are four things CISOs must do to help employees become better breach detectors:
1. Drive employees to understand and care about their role in protecting the business. Since most awareness efforts have historically focused on avoiding mistakes, employees do not understand that their role also includes reporting suspicious activity. Furthermore, a mistake can reflect badly on the employee so there is a built-in incentive for them to be careful, but little incentive to report suspicious behavior.
Companies should implement incentives for employees to report what they see. One cloud software vendor emphasizes a “see something, say something” idea as the primary message in all of their awareness efforts. They use gamification incentives, awarding badges (that translate into gifts) for reporting suspicious activity as well as for anything the employee might do to reinforce the message to other employees.
2. Ensure employees know how to report suspicious activity, and make it as easy as possible. It’s no good helping employees spot suspicious activity if they don’t know how to respond or if it’s difficult. One option is to install a “report phishing button” in employees’ email client. Pressing this button automatically forwards the email to a security inbox where it can be analyzed, and it’s just as simple as deleting an email.
3. Help employees know what ‘normal’ and ‘abnormal’ look like. Asking employees to be aware of suspicious activity such as a phishing email does little if it’s not accompanied by concrete guidance on how to identify a phishing email. As attacks become more sophisticated all the time, it’s important for information security to regularly update employees on what “normal” and “abnormal” look like.
In the past, minor breaches and near-misses detected by the security team were usually kept quiet, but progressive CISOs now broadcast these incidents to employees. These broadcasts show employees that attacks can (and do) happen at their company and also demonstrate the kind of attacks they may see in the immediate future.
4. Increase employee visibility into potentially suspicious activity. CISOs can use various simple means to augment employee judgment and help them spot potentially malicious activity. A common tactic is to label all external email as such. This makes it much harder for an attacker to spoof emails from other employees.
A telecommunications company employs a more sophisticated tactic. The CISO sends weekly “activity statements” to employees that show them which systems have used their credentials and when. This allows employees to review their data access records and see where there might be activity that they didn’t generate. By using simple and personal activity statements and iterating on the format based on feedback, employees become much more likely to report any abnormal activity and are more invested in the security of their actions.
Information security now requires more than protection against breaches. A robust ability to detect and respond to breaches is critical, and key element of breach detection is rank-and-file employees. To meaningfully improve detection and response to breaches, companies need to move beyond traditional “awareness” efforts, and build a program that teaches employees to be breach detectors.