While Octobers are typically reserved for organizations like yours and mine as a time to focus on cybersecurity awareness programs, this essential work is of course a year-round effort – or, it should be! But like many of the tough challenges we all experience here in the real world, it can be very hard to break through the noise to reach your staff.
And as we approach the end of 2022, that noise is only growing, from the ongoing public health crisis, to geopolitical events which may directly or indirectly affect your organization or your market, to attack techniques which are either brand-new or (perhaps even more dangerously) evergreen, because they have repeatedly proven so effective in the past.
When we think about how to secure and protect our organizations, consider these three vantage points (or views) which reflect where you and your employees live: the world view, the business view, and the home view.
The World View
There is no shortage of headline-grabbing news today. And while some organizations do need to be concerned about potential cyber-offensive activity related to the land war in Europe, it’s not the deployment of a cyber-weapon, but rather a deployment leveraging cyber headlines that is far more likely to appear as a threat directed at most organizations.
Threat actors read the same news we do. And during both global and local crises, a very common phishing technique is to piggyback on top of those current events, with the expectation that the recipient may be hungry for more information – even more so when that “new” information is urgent or timely. Messages with (bad) links purportedly leading to “exclusive” video content, or even to (fake) charities seeking real donations, are especially prevalent.
The ongoing situation in Europe has been an eye-opener for businesses worldwide who did not understand how interconnected and interdependent their supply chains are, from food to oil to other critical raw materials.
Remember that “security awareness” applies both to individuals and organizations as a whole. “Situational awareness” is tightly intertwined with information security awareness. One of ways an organization can test itself about how much (or little) it knows about its place in the global ecosystem is to run tabletop exercises, or practice sessions with a mock scenario requiring a rapid and coordinated response. And those exercises definitely have a cybersecurity component, usually in the form of an Incident Response (IR) function – a team which you may have in-house, or you may have on retainer with one or more outside vendors.
The Business View
Let’s stick with this supply chain concept as we shift the vantage point to look squarely at impact to the business.
After all, businesses exist to generate value for both shareholders and customers. How businesses react and respond to unexpected scenarios directly affects their ability to operate. Just like individuals, the behavior of a business organization is often driven by economic impacts and incentives (regulatory or otherwise). And businesses which rely on multiple components to deliver their product or service – where those components are hardware, software, and/or intellectual property – can find that the complexity of how they operate innately presents operational risk.
A specific example: if your organization today does not know how it is connected to the economy of Taiwan, now is definitely the time to run tabletop exercises to uncover where you may have blind spots. From an information security perspective, how would the security of your data center (whether your own, or one provided to you by a cloud vendor) be affected if planned upgrades of underlying physical components simply cannot take place, because chips or other technology are no longer available?
It’s not too far a stretch to believe that any military activity in that part of the world will be accompanied by disinformation campaigns designed to influence governments, companies, and individuals. Does your information security awareness program include training which directly addresses the concept of disinformation, and how to recognize it?
The Home View
Perhaps the strongest indicator of an effective information security awareness program is content which approaches the employee holistically. Effective awareness and behavioral change approaches the individual both at work and at home.
There is no on/off switch that fundamentally changes an employee’s behavior between the work environment and the home environment. This has become even more apparent over the past couple of years, where many organizations were forced to move to a work-from-home model.
Isn’t there room in your training curriculum to provide actionable advice to your audience about risks which may be more pronounced outside the office? Connecting to public wi-fi without a VPN, password reuse across websites, and sharing too much information on social media are all risky behaviors which can affect your organization, even if all these behaviors take place after work hours on devices not owned or managed by your IT team.
There is a dual benefit to taking this holistic view of your training. Not only is your organization safer because your users are better informed about potential threats online, but you may now have an employee who is especially grateful and appreciative that this same training can also help them more effectively secure their home devices and network.
The Three Views and “Visibility”
Relying on multiple vantage points is a model which is relevant to far more than your security awareness program alone.
One of the most promising, and most powerful, ways to think about visibility is the concept of extended detection and response (XDR). This model acknowledges that yesterday’s purported king of visibility, the logs collected by a security information and event management (SIEM) system, is no longer the best way to see everything you need for comprehensive situational awareness throughout your environment – and it may never have been “the best way,” anyway.
Logs are just a single vantage point. When you then add network data, and add endpoint data to the mix, you now have three views into your environment.
Bringing these three data planes together and combining those vantage points with capabilities such as orchestration and automation, machine learning-driven analytics, and a threat intelligence platform, is what comprises truly effective XDR.
When it comes to security awareness, an XDR solution can help you peer into emails and alert when it sees hyperlink text which does not line up with the underlying hyperlink – a classic approach of many phishing campaigns. An XDR solution can tell you when it witnesses user behaviors which should be investigated – not necessarily a signal that a threat is actually present, but rather anomalous activity, something out of the ordinary when compared to a user’s behavior up to that point. An XDR solution can quicken the pace of your remediation workflow by automatically sending an email to a user who may have accidentally clicked on that obfuscated link.
Whether it’s XDR or your security awareness program, always remember that the more vantage points you have, the better informed you (and your employees) will be.
For More: Recommended Reading
Where to go from here to further improve your security awareness efforts? I always close out conversations in this space with a recommendation to pick up a copy of Perry Carpenter’s Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (a Hall of Fame winner from the Cybersecurity Canon Project). The book is squarely aimed at managers and leaders seeking to improve the effectiveness of their cybersecurity awareness programs.
But I’ll also leave you with some alternative reading sources, a handful of solid and relevant books which might not at first glance appear to relate to your security awareness program efforts: Robert Cialdini’s Influence: The Psychology of Persuasion; Switch: How to Change Things When Change is Hard, authored by the brothers Chip Heath and Dan Heath; Dan Ariely’s Predictably Irrational: The Hidden Forces That Shape Our Decisions; and The Invisible Gorilla: How Our Intuitions Deceive Us by Christopher Chabris and Daniel Simons.
The world view, the business view, the home view: keep all three of these views or vantage points in mind when you consider how to create or improve your existing security awareness efforts.
About Ben Smith
Ben (@Ben_Smith) is Field CTO at NetWitness. He brings more than 25 years’ experience in the information security, risk management, networking and telecommunications industries. Smith holds industry certifications in information security (CCISO, CISSP), risk management (CRISC), and privacy (CIPT); he is an acknowledged contributor to NIST SP 1800-1, -3, and -7; and he chairs the Cybersecurity Canon Project. He is a patent holder, authored four of the “97 Things Every Information Security Professional Should Know” [O’Reilly, 2021] and was previously a corporate representative to the National Cybersecurity Center of Excellence (NCCoE).