Here’s a follow-up to an earlier post of ours, with amplification of points well-worth making.
Trained employees are a central component of an organization’s security posture, according to Freaky Clown (FC), CEO and Head of Ethical Security at Cygenta.
FC is a professional red teamer who tests the security of organizations by breaking into them. FC talked to Carole Theriault in part two of an interview on the CyberWire’s Hacking Humans podcast.
FC says that managers are often surprised by how far he can get without being caught, because employees don’t know to watch out for threats. He describes a number of unusual situations in which he has convinced employees to participate in strange activities, such as building teepees with their coats as a team building exercise, or setting up a bar in a government building. “You can genuinely just confuse people enough to think that they should be helping you,” he says.
FC explains that just one employee who knows what an attack looks like can make the difference between a thwarted attempt and a devastating cyberattack:
“If you see some of the massive cyberattacks that we've seen recently - like, you know, sort of a billion pounds tried to be stolen from the SWIFT network - that was stopped by one analyst. And we're seeing things like that all the time. Even some of our clients who have had massive spear-phishing attacks, like you know, CEO fraud, that was stopped because one person was like, that's odd. That doesn't sound like the way that Jeff would write an email. They understand it. If they know what can be done and how it would be done, then they're in a much better position to stop it before any technology can even get in.”
He adds that companies that feel overwhelmed by the task of security education should bring in professionals to make the job easier:
“Whatever your role is as a company, you're doing that. You can't be expected to understand all of the security threats. So that's where a security company comes in and goes, OK, look. We understand how criminals are working because we see this day to day. We understand how the criminal organizations are working. We understand how nation-state attackers are working. So what is your threat level? Try to build up on that.”
There’s no reason to waste time on PowerPoint slides and corporate videos when a security company can give your employees a better education on the most relevant threats. New-school security awareness training can be a crucial asset for organizations that want to maximize their security.
“Having a great security culture in a company is your best asset,” says FC. “It really is. People always say, like, humans are the weakest link. No, they're the weakest link until you train them. And then they are your strongest link.”
The CyberWire has the story: https://thecyberwire.com/podcasts/cw-podcasts-hh-2019-01-10.html