You’ve set up multifactor authentication and antivirus, enabled backups, secured physical devices and your WiFi, and you’ve spent hours configuring your firewall. But with all those measures, it’s easy to forget about what could either be your greatest asset, or your greatest weakness. What about the human firewall?
According to the Verizon 2021 Data Breach Investigations Report, 85% of breaches in 2021 involved a human element. Phishing was present in 36% of breaches, which is up from 25% in the previous year. With many employees still working from home and organizational resources accessible remotely, organizations must respond to the threat of social engineering and spend time reinforcing their “human firewall,” as they would their physical firewall.
The employees in your organization can function as a crucial line of defense in the event of a breach, but only if they’re trained to recognize and respond to a social engineering attack. A social engineering attack can come in a variety of ways. It could be a phishing email designed to capture credentials or private information. It could be a phone call from a hacker pretending to be IT. It could even be in-person, such as an attacker walking into the office and convincing the front desk they are there to do work in your server room.
Security Awareness Training
At a minimum, organizations should conduct yearly training on a variety of security awareness topics, with an emphasis on social engineering. The Center for Internet Security (CIS) provides important training topics in section 14 of version 8 of their Critical Security Controls. These controls outline best practices for annual security awareness training, with topics including:
- Recognizing social engineering attacks, such as phishing, pre-texting, and tailgating.
- Authentication best practices, such as MFA, password composition, and credential management.
- Identifying and properly storing, transferring, archiving, and destroying sensitive data.
- Causes for unintentional data exposure, such as the mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences.
- Recognizing a potential incident and being able to report such an incident.
- Verifying and reporting out-of-date software patches or any failures in automated processes and tools.
- The dangers of connecting to, and transmitting data over, insecure networks for enterprise activities
That said, yearly training with no reinforcement is a minimum for organizations, but hardly the recommended path for long-term success and resilience against social engineering. Simulated phishing campaigns are another excellent way to keep employees sharp throughout the year, especially when combined with smaller training modules that remind employees of best practices. KnowBe4, one such security awareness training platform, reports that in an untrained workforce, an average of 31.4% of employees will click on a phishing link. After three months of training, that percentage falls to 16.4%, and 4.8% after twelve months of training.
Simulated phishing campaigns also allow for your organization to collect statistics, such as which users are most likely to fall for a phish, and utilize this data to further harden your environment. Not only that but assigning training through such platforms allows for easy training documentation for compliance purposes and allows your users to complete their training at a time that works best for them.
OCD Tech specializes in providing training and simulated phishing campaigns through a partnership with KnowBe4. If your organization is looking to strengthen your human firewall, consider reaching out to OCD Tech for more information on exploring security awareness options.
This post was originally published on the OCD Tech blog.