October is Cyber Security month! When you exclaim that this month’s focus is security to most admin and IT stakeholders, you’re likely to receive a chuckle or an eye roll. They know the truth of the matter. Our mindfulness of security can’t be limited to a singular month.
It’s an ongoing process that literally never ends.
Who then is Cyber Security month for? I’ll give you a hint. They interface with your organization’s data, devices and services daily and often don’t regard security as their first or even third priority. You got it; Cyber Security month is all about making your users more aware of the threats your organization faces.
We often spend a lot more time discussing our plans to harden servers, implement new identity security policies or protect our users’ credentials with MFA. Don’t get me wrong, those things are essential in today’s world, but it’s hard not to notice a gap in those strategies. That gap is the users.
Most experts estimate that 70% – 90% of malicious breaches start with or include some form of social engineering. Our users are every organization’s largest attack surface and softest target. Bad actors know this and are increasingly aggressive and cunning in their attempts. Every user holds something a bad actor would like to get their hands on.
Take a user who doesn’t need access to any data or systems but needs email to communicate. If that user leaks credentials, it can still be a treasure trove for a bad actor in the form of a global address list harvest or intel derived from exfiltrated emails that allows them to refine and target spear-phishing attempts. When we read about a large breach in the news, we often picture a group coordinating an attack to launch all at once when it’s far more likely that attack started very small and happened over time.
So how do we go about hardening our users? It would be nice if we could just apply a patch or update their firmware, but a more tactful approach is needed. We believe that process is three-pronged.
Your organization culture around communicating anything IT-related is very important and often overlooked.
Simply making your users aware of the current threats and where to report them can go a long way to thwarting social engineering. Be consistent with your communications. Set up a shared mailbox so multiple crafting IT-related messages can appear as one unified voice. Apply templates to your emails, so the appearance is consistent. Be concise; not enough or too much information can be harmful. Stick to the who, what, why, and how of the threat. Don’t forget to include where a user should go to report social engineering attempts.
This can mean different things depending on the size of your organization. In smaller organizations, it may mean taking 10 minutes during a company meeting to show examples of social engineering attempts. In larger organizations, it may mean contracting a professional trainer to speak to individual business units or even training leaders in those units to talk about threats to their teams.
The benefits of a simulated penetration test against our networks are obvious, but we can also apply this approach to our users. An attack simulation targeting your users with social engineering or a fake malware payload will not only give your organization an idea of its vulnerabilities but is also one of the best ways to raise your users’ awareness. The approach of an attack simulation with training and communication as a fast follow can grab your users’ attention far better than any of these components on their own.
How do I simulate attacks?
Just like network penetration testing, there are plenty of tools to help you launch attack simulations and parse the data you receive.
- Microsoft 365 Defender P2 – If you happen to have Defender P2 or an M365/O365 A5/M5/E5 plan, you have a very robust set of tools for simulating attacks.
- Choose from a wide variety of templated attacks that help target specific business units, just like a seasoned spear-phisherman.
- Simulate malware payloads and malicious links with a variety of different delivery methods.
- Automatically assign pre-built training modules to users that click malicious links or input their credentials.
- Robust after-action reporting to help you know where to invest in training.
- Now Micro Security Awareness Training – If you don’t have Microsoft Licensing, you’re not out of luck, Now Micro has the tools to simulate attacks against your Microsoft or Google environments.
- Phishing Security Tests
- Automated Security Awareness Program
- Security Hints & Tips
- Automated Training Campaigns
- Phish Alert Button (Ability to report & delete phishing emails)
- Phishing Reply Tracking (Track if a user replies to a simulated phishing email & what information)
- Industry Benchmarks
- Monthly Email Exposure Check: Monthly reports show which email addresses are exposed on the Internet and are a target for phishing attacks
Recognizing the growing need to protect all your endpoints, including your users, is our focus at Now Micro. If you have any questions or would like our help, visit our Managed Services page on our website.