By David Monahan
Security is an important aspect of business in today’s world. Daily announcements about new data thefts, breaches, and other related security issues—many of which originate as attacks against the workforce—are commonplace. As a result, the human component of security is increasingly significant.
Social engineering is a tool used to create workforce-based attacks. It uses social and psychological influences to direct a target to a desired outcome. Social engineering essentially tricks someone into doing what the attacker wants. Common forms of social engineering include peer pressure, door-to-door sales, telemarketers, and broadcast commercials. Prevalent forms of social engineering in the business world include cold calls as well as phishing or SPAM emails, both of which request some form of information from the target.
Social engineering attackers exert some form of psychological influence/pressure against the target. These attempts are usually time sensitive. The intent is to activate impulse over reason. The impulse is further accentuated by appealing to a primary emotional driver. For instance, by taking a certain action you will be accepted, rich, or get the deal of a lifetime. There are too many psychologically based factors to list all of them in this article, so I will narrow the rest of the discussion to the most common methods seen in the workplace.
Many scams or malicious email solicitations prey on human emotions, such as fear of losing something, sympathy, or greed. A common malicious email notifies an individual that he or she will lose account privileges in the next 24 hours if he or she does not act now and send passwords, money, etc. to the sender.
Sympathy attacks are often experienced as a plea for help because someone the victim may know or otherwise empathize with is experiencing an issue and needs financial assistance to extricate them from the situation.
To play on greed, a common scheme is offering the “one time only, right now” deal. In the more rudimentary form, the target receives a solicitation asking him or her to perform a trivial-seeming task in return for a high compensation.
Most of these solicitations can be weeded out because of poor grammar and syntax. The next level may look authentic, but the have-to-act-now motivation is a red flag. The old saying, “If it looks too good to be true, it probably is” applies.
As an analyst, I am intrigued by the issue of how training is applied to make employees more security aware and the impact the training has on susceptibility to social engineering and related cyber attacks. In response, I have conducted end user research to understand more about three important aspects of security awareness training.
These include how individuals and organizations perceive the need for security awareness training. How they undertake delivering the training and its efficacy. And, whether or not security awareness training actually reduces the susceptibility to social engineering attacks.
The research indicates that many companies operate under what I would call the insanity principle—doing the same thing repeatedly and expecting a different result. This is exhibited in several ways. The first is companies do nothing to train employees, yet somehow expect security to get better. The second is that they use antiquated methods of training and expect personnel to get better at security.
A recent Enterprise Management Associates (EMA) research report, Security Awareness Training: It’s Not Just for Compliance, shows that in aggregate, 56 percent of personnel had not received security awareness training from their employers.
This varies considerably depending upon the size of the organization, whether the organization operated in a regulated environment, and even what role the individual supported in the business. The research finds that individuals outside of IT and security functions were two times less likely to receive security awareness training than IT personnel, and seven times less likely to receive security awareness training than security personnel.
From the organizational perspective, personnel in a large enterprise—10,000 people or larger—were about three times more likely to receive security awareness training than counterparts in the midmarket organizations, and nearly five times more likely to receive awareness training than counterparts in the small- to medium-sized organizations of less than 500 people.
To exemplify the second issue, it is important to understand one of the basic learning principles. Most people need repetition to learn something effectively. For example, 45 percent of the respondents who received training say they only received it on a yearly basis. Ten percent say training is at some seemingly random or undetermined interval. This means that over half of the survey respondents were exposed to training so infrequently they didn’t have a chance to internalize the practices and procedures. Only two percent say they had received post-incident training which, when delivered correctly, is an effective method because the person who was exploited is open to understanding how he or she was duped and usually wants to fix it.
The caveat is if the “training session” is really intended as more of a disciplinary session, the person exploited tends to shut down. Research also found that only 48 percent of respondents knew that their training effectiveness was measured and, of those, 62 percent of organizations measured training effectiveness merely by attendance. If you were there, training was considered complete and effective.
Invest in Security
The research results clearly show many security awareness and policy training programs lack the delivery periodicity, content, and quality that increases the rational decision making that weeds out the obvious attacks, reduces susceptibility to time-pressure attacks, and overcomes attacks that appeal to sympathy/loss and greed.
Organizations must invest in employees through security awareness training if they hope to change the outcomes of phishing, cold calling, and other forms of social engineering attacks prevalent against their employees today. According to the research, 84 percent of respondents recognized that they used the awareness training from work to make better security decisions at home, thus, creating an overall improvement in Internet security. SW
David Monahan is research director, security and risk management, EMA. He is a senior information security executive with several years of experience. Monahan has organized and managed both physical and information security programs, including security and network operations for organizations ranging from Fortune 100 companies to local government and small public and private companies.