ARE PEOPLE REALLY THE WEAKEST LINK IN THE INFORMATION SECURITY CHAIN?
This question sounds familiar, right? Indeed, information security is often considered as a chain, and everyone knows that a chain is only as strong as its weakest link is. Starting from this metaphor, it seems like a good idea to find this weakest link in order to strengthen it so that it is no longer a threat for the organization.
When trying to identify this weakest link, most people will state that people are the weakest link. I would like you to think about the number of times you heard someone say that “the problem came from the eighth layer of the OSI model” or that “the problem existed between the chair and keyboard.” I am pretty sure this sounds familiar to most of us. A good joke cannot hurt, most people will say.
I read an interesting research paper lately about how the vision we have of ourselves can really impact who we are and our perception of the things around us. I will not focus on this for too long, but this made me think differently. The idea was the following one: you take a pool of people and ask them if they usually feel like lucky people or not. Then you tell them that they have to find specific information in a text and that usually only the luckiest people can find all this information. When the experiment is over, ask the people about what they found and let them tell you if they think they found everything or not. Guess what, most of the people that said they were unlucky either missed some information or found all of them but thought there were still some they missed.
Now, you may be wondering what is the link between this research paper and our topic here. I am convinced that if you keep telling your coworkers that they are the weakest link in your company’s information security chain they will somehow become. It is a state of mind. How can one change this into an opportunity?
How to turn people from weakest link to first responders?
Instead of telling your employees that they may be the reason why security will eventually fail one day, tell them how they can be involved in the company’s security posture. Make them become your greatest strength when it comes to enforce security everywhere.
How can one achieve this magic trick?
You need to run a security awareness program in your company if you want to achieve this. If you do not know where to start with, I would definitely recommend reading the National Institute of Standards and Technology Special Publication (NIST SP) 800-50. Even if this document was published nearly two decades ago there are still some good ideas inside, as in any SP NIST ever published. Your awareness and training program needs to be able to make everyone in the company feel involved. And if you want everyone to feel involved in this program, the core actions of this program need to be adapted to your public every time.
Adapt your actions to the targeted public
When it comes to adapt actions to the public I like to use storytelling and live demos. The decision makers of the organization might not be concerned about a penetration testing report where you tell them that “you can trigger an XSS vulnerability on the company website as you can see on this screenshot with a popup saying ‘XSS here’.” But I can tell you that they will feel concerned if you show the whole website defaced with images shaking while playing French cancan music. Of course, do not attempt this in any penetration testing if this is not allowed in the terms of engagement. They will feel even more concerned if you tell them that you would be able to become an administrator of this website by chaining this with a configuration mistake.
The HR manager may already be aware that one should always verify the file extension before opening it, but do they know that most of the file formats can be payloaded? Maybe it is an opportunity for your team to show how an attacker can leverage vulnerabilities in a software that never got updated after it was installed.
Now let us talk about more tech-savvy people, system administrators, or developers, for instance. Do you still happen to have users amongst them that “need” to be administrators of their computers? Do they use this local administrator account when browsing the web? Most of the time, they think that this is a mostly harmless practice. If this sounds familiar, then maybe it is time to introduce them with the BeeF framework.
The most important thing to remember about these live demonstration examples is not that you can cause fear amongst your users. For sure, you will. But even if fear is a powerful lever, the most important thing is to understand that people usually believe what they can see. When you are able to show them that these threats they heard about in a previous awareness session or email communication can be real, they will start to think differently about them.
You can also use examples of other companies that reported breaches in the last few weeks or months. Explain what happened and how this could have been avoided. I feel like it is the perfect time to work in information security because we now have a lot of after-breach communications. Companies no longer keep their breaches secret and you can learn from others’ mistakes. Some will even demonstrate a very good crisis management, and this can become an example when it comes to handle crisis on your own side.
One of the most dangerous threats for your end users is obviously phishing. Every day, thousands or maybe even millions of phishing emails are sent all over the world. Luckily enough, most of them can be recognized in a matter of seconds. But some of them are really finely tailored. To explain how phishing works and how attackers are really imaginative to make their message seem realistic you can run your own internal phishing campaign or you can store a few really good phishing attempts, run a live session with a group of users, and explain how you noticed that this was a phishing attempt. Give them tricks, reflexes, and most importantly, the opportunity to have someone from the security team removing doubt on any email they find suspicious.
The Société Générale CERT provides an outlook addin coded in C# on Github called NotifySecurity that allows your users to forward any email as an attachment with a reporting template. In this way, removing the doubt on any email received becomes as easy as counting to three. It is worth mentioning that if someone took the time to send a suspicious message to your team, your team definitely needs to take time to inquire about this. They also need to provide feedback on the message itself and thank the user for being involved in increasing the company’s security posture. A positive message is always appreciated.
Offer an e-learning platform to your users
Another option I like to take when it comes to raising awareness is to deploy an e-learning platform. I usually host this platform on an open source Learning Management System (LMS) and add content over time. The content on this platform is split in modules. Each module has a specific topic: information security fundamentals, operational security in the company, ISO27xxx norms, vulnerability management, etc.
Each module is divided in small chapters. “Bite-sized” chapters have shown better results when it comes to raise awareness on a specific topic. This way, the targeted audience can learn something in a few minutes without going through twelve pages of documentation. Going straight to the point is the way. If you feel comfortable with storytelling, try to use it. Quite often a good short story will give better results than just pure information security jargon or risk analysis. If you wonder how to use storytelling efficiently in this specific context, I would recommend that you read the “Transformational security awareness” book by Perry Carpenter. If you have people that can draw infographics in your company, have them doing some to illustrate your chapters.
There is something really important about security awareness programs. You need to ensure that everyone understood the information you gave them. In such cases I make sure that people understood the concepts introduced in a module by running a final quiz. I usually ask them to answer 20 questions out of a pool of 30 to 40. I assume that they understood the key concepts of the module as soon as they get 15 good answers. And this is where we added gamification in my current company.
To go further, we installed a module on our LMS to transform it into a roleplaying game experience. Every user has an avatar with a level and experience points. Whenever you validate a module, you get enough experience points to reach the next level on your avatar. The avatar’s appearance then evolves into something stronger and you get access to the next module on the platform. When people reach a higher score on quiz, with 18 good answers, they are also rewarded with a digital badge. This works very well for us. People were really proud because they obtained all the badges or because they got a higher score than their coworkers. Gamification creates a real involvement and makes people feel competitive. This gave us really good results on modules completion and improving the overall security posture of the company.
Communicate on important new threats
Whenever a new threat seems really dangerous for the organization I send an email to everybody in the company. I do my best to keep it short and go straight to the point. I want my users to be able to know what can happen and how they could possibly notice that something is happening. I also want them to know that we are setting some security measures up to mitigate the threat whenever it is possible.
Leverage all of this to make them first responders
You may wonder why I talked about transforming people into first responders without even referring to it again in this article. I am convinced that if you raise awareness properly among them with an appropriate program and give them a way to contact your security team whenever they notice something suspicious, they will. As in the example about phishing attempts, make sure to send them appropriate feedback after examining what they submitted to you. This will, without a doubt, make them feel really involved in the security posture of your company. In this way, you will no longer miss a piece of information about something suspicious because of “who cares? I don’t even know who I should tell about this and we never receive feedback.”