Posted by Tim Femister on Nov 1, 2018 10:00:00 AM
Last week, I wrote about the first five steps to creating a culture capable of effectively defending against modern threats. This week, I'll take you through the next five steps. Let’s dive right in.
6. Organizational Communications
We also want to make sure that your messaging is customized and applicable to your organization, so this step combines Engaging Trainings and Mindfulness. Standard platforms and tools can only be customized to a certain extent, so we recommend sending out an organizational communication twice per month around cyber awareness. You can often pre-write and schedule these emails to be sent out.
7. Phishing Simulations
Before we talk about simulating phishing, let’s discuss “dwell time.” For those who are unfamiliar, dwell time is the amount of time that occurs between the moment an organization is breached and the moment it realizes it has been breached. The average dwell time is about six months (180-205 days). Scary, right?
So, if you’re reluctant to believe that you have a phishing issue within your organization, I’d like to challenge you by asking, “How do you know?” I would argue that unless you simulate phishing consistently and observe a constant low (1-4%) click rate, you can’t confidently state that phishing is not a current problem. Also, remember that a successful phishing attempt does not mandate malware. Users – completely of their own volition – can send an Excel file full of sensitive information to a bad actor as a result of social engineering. It may take years until you find out that you had a data leak – or, even scarier, you may never find out.
8. Social Engineering Assessments
Despite the statistics I shared at the beginning of this guide, cybersecurity is not just about preventing phishing scams. Yes, spear phishing accounts for 95% of enterprise network attacks, but I have a rule I would like to share with you:
Femister’s Law of Counter Direction
When a security trend reaches critical mass, bad actors shift their focus in a different direction.
Thus, as everyone focuses on phishing threats, expect to see a rise in different threat vectors. Recently, we’ve seen this take many forms, from receiving malicious CDs via snail mail to leveraging public-facing vulnerabilities (over phishing) for ransomware (as seen in the City of Atlanta).
9. Metrics + Reporting
At this point, you’ve put a tremendous amount of effort into building a robust network of human firewalls, but we need to be able to track progress, identify gaps, and educate stakeholders on your current state, including your level of improvement. We recommend proactively informing stakeholders on a quarterly basis through a Quarterly Program Review, in addition to an Annual Program Review.
10. Regular Optimization
Lastly, any system or program runs the risk of stagnancy. A continuous optimization schema should be a critical element of the established policies and processes. We want to ensure that the cyber awareness program maintains its relevance and efficacy, considering all the hard work you put into it. This is also an opportunity to review any gaps and incorporate optimizations for structured improvement.
Thank you for taking the time to read through these steps – it demonstrates a commitment to creating a cyber aware culture that will serve your organization well in defending against modern threats. If you'd like to take an extended look into these 10 steps, download the full guide below.
[ GUIDE ] Building HUMAN FIREWALLS:
10 Steps to Cyber AWareness
Are your employees equipped to act as a human firewall, defending your organization against attempted cyber attacks?
The statistics are staggering: spear phishing accounts for 95% of enterprise network attacks, according to the SANS Institute. Since attacker can craft messages to your employees posing as a reputable contact, technology can only do so much. To effectively prevent your organization from falling victim to cyber attacks, it’s essential that your employees develop strong cyber instincts.
This guide contains an extended overview of ConvergeOne’s 10 steps to creating a cyber aware culture, including key questions and ideas for tackling each step.