Make Security Lessons Meaningful to Help Them Stick with Employees

Your mom might be behind the next great cyber-attack—and she won’t even know it.

During his keynote address on security at SHARE in Pittsburgh, Robert Andrews, co-founder and chief information security officer for Mainstream Security, detailed the ways criminals are co-opting computers to propagate malware attacks.

Companies can protect their assets with all the greatest technology in the world, but ultimately they’re still at risk because of what they can’t control: human behavior.

“It’s probably not that we’re behind in security,” Andrews said. “It’s that individuals are behind in security.”

While proper security practices are second nature to people who work in IT, throughout your organization there are plenty of people who aren’t as savvy.

Attackers are becoming more sophisticated in the way they use email to carry out their attacks. It’s not unusual to receive an email that mimics a voicemail captured through a reputable product like Cisco Unity, for example. But when victims click the link to the “voicemail,” they’ve unwittingly allowed the bot to invade their computer and appropriate it for future attacks.

Malicious emails are also becoming more personalized, with attackers trolling social media for details that help them tailor emails to specific targets.

“An email that should be recognized as spam or phishing, now you don’t recognize it,” Andrews said. “You click it, and you’re compromised.”

Then there are the dialog boxes that occasionally pop up on users’ screens, asking them to download antivirus software. When it’s a fake prompt, clicking “accept” will not only download malware to the system, in some cases it will actually disable legitimate anti-virus software.

Attackers are also poisoning search results by using search engine optimization to position imitation websites for popular topics such as the MLB All-Star Game, awards shows and holiday sales. If you click on the link to the site, you may be asked to download special software or codec to view the site.

Instead of getting the content you want, though, you’ve instead installed bad code that leads to a “man in the browser” attack—the attacker has the ability to see everything you do in the browser from that point on, in clear text.

One of the keys to reeling in the attacks, Andrews said, is end-user awareness training so people recognize when they’re clicking on bad links, dialogue boxes or search results.

“Do not click on stuff you don’t understand,” he said.

It can be hard to make the lessons stick, but Andrews said it helps to connect security to employees’ personal lives.

“Make it meaningful for not only the organization, but what the end-user does at home,” he said. “(Show how) it’s going to help with their kids, their home, etc.”

And every layer of protection adds up to a big difference in the long run.

“The more layers of security, the more likely it’s going to get caught in the end,” Andrews said.

Want more insight into security from SHARE? Stream the archived webinar, “The Payments Ecosystem: Security Challenges in the 21st Century. 

Recent Stories
Find Defending the Mainframe Difficult? Go on the Offensive Instead!

Digital Certificates 101

SHARE Virtual Preview: Women in IT Talk Inclusivity and Mainframe Innovation