And for many of us this means about the same as E=MC2. What does this mean for us non-cybersecurity folks working from home during the COVID-19 lockdown? And how can you explain that to your mum, eh?
Here are our top five tips about working from home, video conferencing and staying safe.
1. Don’t talk to strangers
Businesses tend to use video conferencing solutions that allow anyone with a valid company email to join freely. If this sounds like your place of work, then stick to that. It means anyone from outside the company can’t join your discussions.
Some video conference solutions allow you to dial in from a mobile phone number as an alternative way in – if you see an unknown number pop-up on your chat, challenge them to make sure there aren’t any lurkers.
But for the rest of us, make sure the platform you’re using has an option to set an entry password that you can share separately with all attendees. That way you won’t have any random stranger suddenly pop-up in the middle of a shared lunch. Take advantage of the waiting room feature if it exists. You can vet and approve unexpected attendees prior to them potentially wreaking havoc.
Of course, there are those platforms that actively encourage people to drop in – Houseparty is one good example where you can issue an open invitation to anyone in your address book. If you are using these services, be aware that people you might not want on the call can join in. While that is unlikely to be problematic for your children’s schooling, Aunty Jean might think she’s joining a family dinner and a boozy flat game of virtual Truth or Dare might not be her cup of tea.
2. Do you even know what a .bz2 file is?
It’s simple. If you don’t know what a file is and if you don’t know how or what to use to view it, do not click on it, do not open it, and do not share it. If someone sends you a weird link over a video conference session, double-check that it is a real thing they’ve actually sent to you and not something that will hijack your computer. If you think dealing with tech support is hard work in the office, when you’re working remotely it’s doubly difficult. If the person is known to you, but there are attachments, check with them first – and not by email! Their account might have been hacked.
And of course, if you do need to share a file with your colleagues, then use file encryption, encrypted email, or whatever your company uses for secure file sharing. Emailing databases about the place is not considered smart, and certainly is not good practice.
3. Big brother may not be watching, but your housemate might be listening
Chances are your partner or flatmates find your work calls boring but you might not realise that your voice carries to the neighbours. Always consider who else is around when you’re on that conference call, especially if you’re working with sensitive information. Someone might be recording the call without your knowledge or just interested to find out about that big company deal you’re helping put together.
The lesson here is watch what you say. Check the participant list. Consider alternative communication channels for highly confidential conversations. The same applies for screensharing. Close your documents and shut down any irrelevant applications. And in the interests of not driving your family and flatmates nuts with your calls, get a good quality headset rather than shouting at your laptop. Trust me on that one.
4. You know what they say about repetition…
It might be boring, but it pays off. And so does accessing any system or application with more than one type of login.
Hopefully, your company has already introduced multi-factor authentication (MFA), which will require you to check your phone for a code before logging in to any vital system. But in case they haven’t, many platforms allow you to enable MFA yourself. This reduces the chances of someone using your stolen credentials to hack your account and again, wreak havoc. Again, if you think having to change all your credit card details and passwords is a pain when you’re able to move about the city, it’s doubly difficult when we’re all in lockdown, so avoid giving the bad guys access to your details.
5. If it smells funny, don’t sniff
Just because we are talking about video conferencing, doesn’t mean emails suddenly aren’t relevant. If you receive any unexpected emails or an expected email that seems ever so slightly off, don’t click on any links or open any files. Notify your IT team and delete the email. Always check before following those important orders you received from ‘YourCEO@gmail.com’, or similar that arrived in the dead of night, and need you to urgently pay an invoice or similar. It might be from your boss, but equally it might not.
Most importantly, remember to strike a balance between risk and benefit. Good cybersecurity is not about stopping business activity, but about using appropriate tools for appropriate tasks. Houseparty is a great tool for remote classrooms, but not for executive communications. And finally, find a way to incorporate the norm into the new norm. Have fun with your calls, be kind to your colleagues, and screenshot the awkwardly frozen faces. Most certainly report back to your entire team when a colleague spontaneously decides to flash during your team catch up call. When we all get to back to the office, it’ll be good to have a little something up your sleeve for your next performance review.
You may never find yourself exchanging phone numbers with a Saudi prince, but CEOs and business leaders swap contact details all the time. For Jeff Bezos at Amazon, this was just another routine step along the path that led to a massive breach of his security. After a personal connection, what is more natural than accepting social media contacts?
Today, companies are under ever increasing pressure to ensure their business processes are robust enough to withstand a cyberattack. Firewalls and anti-virus software are installed, patches applied and staff required to change their passwords on a regular basis. Access to files is restricted to those who need them for particular aspects of their work, processes are put in place for staff who leave and user access to the computers they use is restricted to ensure they don’t do something stupid.
Yet at the same time, we see a rise in the number of possible attack vectors open to the criminals. Social media channels offer new ways to get past the watchdogs and security measures in place. Staff are making great use of cloud-based storage to share documents and larger files. Everyone in your business has a smartphone that’s capable of wreaking havoc yet we regularly let staff ‘bring their own device’ and companies like it because there’s more appeal for staff to work late or on weekends if they do so remotely.
All of this creates more opportunity for the bad guys and more risk for organisations, and especially for business leaders. Because while security restrictions are usually put in place vigorously across the company, the one person who should have extra layers of protection tends to demand fewer.
The boss tends to get the special treatment which allows him or her to have greater access to files and services. They may receive more leniency around passwords and security protocols, and have a hands-on role with their marketing team when it comes to a presence on social media including Twitter, Snapchat and WhatsApp, even if company rules prohibit such activity for others.
Jeff Bezos’s (and other high-profile business and political leaders) Twitter use demonstrates CEOs and organisational leaders are willing to live by a different rule to the rest of the team, and that leaves the organisation open to some serious challenges.
How do you tell the boss that he or she shouldn’t have admin rights on their laptop? That they shouldn’t give out their contact details to everyone they meet, no matter how royal? What about insisting they don’t use their work phones for personal use, such as social media, even when they use social media to talk with customers and represent the company?
It’s a minefield for the security team because, of all the staff in the organisation, those at the top are more likely to be targeted by criminals trying to harvest information and access sensitive information. ‘Spear phishing’, where criminals attempt to pass off communications as being from the CEO or financial department, is a growing area of concern. Having senior leaders who are active on social media, and use it interchangeably with email and other more formal channels of communication, makes life doubly difficult for the security team.
So in light of Jeff Bezos’s breach, here are five tips about cybersecurity for CEOs:
Private vs company
If you do want to share your contact details, use a cut-out service. A phone number that you only use for those instances or an email address that your executive assistant (EA) manages. Keep some distance, and keep it ring-fenced so if there is a problem, it’s limited.
Security isn’t optional
Boring but true. Talk to your cybersecurity leads about how best to handle your specific needs. Routine sweeps of your accounts and devices might be required – especially if you travel overseas a lot – so be prepared for some hassle and annoyance. It’s not their fault – it’s good that they nag.
Set the boundaries for staff
Make it clear how you’ll communicate with the rest of the company. You might use a social media account to talk about the company publicly but you won’t use it to message the CFO at midnight to make an urgent transfer of money, for instance. That way if you are hacked it shouldn’t lead to the company running into financial strife.
If in doubt, there is no doubt
Be suspicious of every communication you receive. If a competitor suddenly wants to share files with you, if a new supplier sends you something directly via an unusual channel, if someone offers to invest large amounts of money out of the blue, be suspicious and if in doubt, check in with your cybersecurity team.
Less is more when travelling
Sure, you might need a laptop and a phone when you’re travelling but you’re also more vulnerable to an attack. Talk to your cybersecurity teams about risk mitigation when on the road and how best to handle that. You should back everything up before you go. You may also be advised to take a ‘travel-only’ laptop (and, depending on the country you are travelling to, perhaps a tablet only) and a phone that can be wiped when you return.
The best defence against cyberattacks is both preparation and planning. Consider the risks, and plan and anticipate the consequences of a breach in terms of your company, your business and you personally. Doing these things means you’re in a better place to manage any potential attack. And remember that we all suffer from ‘optimism bias’ – “why would anyone target me?” Don’t rely on having never been attacked as proof that you won’t be. Just ask Jeff Bezos how that worked for him.
David Eaton is Associate Director of Cyber Security for Datacom.
Today’s CIOs are expected to drive business innovation, yet many are grappling with limited IT staff, resources and budgets. In a rapidly evolving landscape, leveraging the right tech is key to overcoming those obstacles and freeing up your team to focus on what matters – growth.
At Datacom, we partner with Aruba Networks – a leading provider of next-generation network access solutions – because it enables organisations to take advantage of a cost-effective mobile-ready network without sacrificing business-class performance, security or reliability.
Our Business Development Manager, Tom Cook, regularly sees the following common obstacles cropping up in the market – here’s how utilising Aruba’s networking solutions can help to overcome these issues to accelerate business growth.
Lack of network visibility A survey by the Ponemon Institute polled some 3,866 IT and IT security practitioners in Asia-Pacific, Europe, the Middle East, Africa and North America and found that more than half (63 per cent) highlighted the importance of network visibility – the need for availability and capacity to monitor traffic on their network.
With Aruba Central, everything from setting up the network to monitoring and maintaining it is streamlined. Whether managing one site or a thousand remote locations, full visibility and control over all network traffic is possible via one enterprise-grade portal.
Slow response times to issues Many organisations lack the capability to quickly diagnose and rectify network issues before they halt operations, or, worse still, allow a security breach.
Aruba’s connectivity health functionality provides the proactive monitoring and analysis required to address issues in all phases of the connection process, including association with access points, network authentication, address assignment and domain name service accessibility. Detailed drill-downs also help isolate problems and identify rogue devices quickly and easily
Lack of capital to upgrade One of the most common obstacles to growth for small and mid-sized businesses is a lack of capital to invest in new systems or infrastructure, no matter how archaic the current set-up may be.
Thanks to the value of the cloud, the cost of implementing high-performing networks has come down significantly. Aruba offers enterprise networking solutions at a consumer-grade price. And the benefits your business can reap from an upgraded solution – in productivity, increased customer engagement, sales growth and more – means you quickly achieve a return on investment (ROI).
Additionally, you can choose a subscription option that fits your business today and scale up or down as needed, so you don’t have to justify a huge Cost of Capital (COC) from the outset.
Security concerns With such rapid developments in both technology and cyber-crime, Tom regularly speaks with practitioners who believe some of their organisation’s existing security solutions are outdated and inadequate.
Aruba offers the option for integrated and automated security controls to protect business data from malware and unauthorised users, and intrusion detection and prevention to safeguard infrastructure. Aruba’s Instant Wi-Fi also includes a built-in firewall and smart application handling for granular visibility and control to make it even more secure.
Lack of centralised control of the network Disjointed or incomplete network control capabilities are some of the leading causes of inefficient or insecure network management for businesses of all sizes. Aruba’s comprehensive dashboard provides a streamlined overview of the network, along with client and application performance monitoring views.
Simplified monitoring and control of headend and branch gateways through integrated software-defined WAN (SD-WAN) management is also provided. Intelligent workflows provide the ability to look into specific device, policy or circuit configurations to ensure performance aligns with business and user expectations.
People often scoff at phishing attack victims and put the blame on them. It needs to be recognised that this “blame culture” contributes to the real issue of slow reporting of phishing compromises which has a direct and material effect on organisations.
Studies collectively show, falling for phishing email is far from rare and the number of victims is growing. The real question is how to mitigate it? This article covers the discussion around the “carrot and stick” approach. They are not mutually exclusive and are most effective when used together to best suit your business.
The consensus in
the awareness training domain is not to blame the users. We should encourage
them to report any suspicious activities, particularly if they are the
originators of the breach.
Since a hacker only
needs one person out of the whole organisation to click on a single malicious
link, it is impractical to achieve zero click rate. However, if we have one
person that reports the incident, it allows the security and the IT team to
review and quickly stop the phishing campaign from spreading and causing
The Cyber Security Breaches Survey published by the UK government (Department for Digital, Culture, Media and Sport, 2019) found that the most disrupting attacks were more likely to be spotted by employees than by software, which is the case for 63% of businesses. This also aligns with previous years findings. Hence, we should realise the importance of staff vigilance and to understand the power of empowering employees.
of thought is to enforce punishment when people repeatedly fall for phishing
attacks. For example, Paul Beckman, CISO at the Department of Homeland Security
considered a policy to remove employees’ clearance if they repeatedly fail an anti-phishing
test. Needless to say, this is a controversial idea and received a lot of criticism.
One study showed that the perceived severity of consequences did not predict behaviour (Downs,
Holbrook, & Cranor, n.d.).
Studies also show that training focused on prohibition of behaviour or attitudes can often have the opposite effect whereas training that emphasises positive effects can and do change behaviour (Robinson, 2011).
What is your mix?
This table outlines the differences between the two approaches. It is essential to understand your business to pick the right mix.
Be mindful about leaning too heavily on the “stick” approach. The ripple effects can put a strain on employees’ morale, leading to a sense of anxiety and distrust. In the worst case, it can lead to grudge attacks. Reports show that internal threats in cybersecurity are prevalent and cause more grave damage than external attacks (Tripwire, 2017).
It is our advice to develop an approach that balances the carrot and the stick. Taking into account the responsibility of the role and its importance in your organisation will help you to determine the appropriate balance. For example, an IT admin would be expected to be much more vigilant to phishing than a clerk our your logistics desk. It may well be appropriate for the IT admin as part of their employment agreement to agree to a policy where there is a sliding scale of consequence for phishing breaches, whereas that would not be appropriate for the clerk.
Food for thought
Regardless of what stance you take on the approaches. It is important to consider the following:
– Ask your HR, legal and management to contribute
What are the legal or contractual requirements?
What is the company’s policy on rewards and penalties?
What culture is the company trying to build?
– Be consistent with your approach
For example, if enforcement is going to be implemented, senior management need to follow the policy as well. They need to be role models
– Understand that people make mistakes and don’t blindly blame your staff
As discussed, aiming for zero click-rate is unreasonable. Therefore, we need to acknowledge honest mistakes can happen.
– Ensure that you have an incident-handling process in place. For example, who/how to report them.
Your staff needs to know the proper process to be compliant with the company’s policies
To click, or not to click, that is the question. How do people make that decision?
Behavioural economics states that we think with both an intuitive mind and an analytical mind. Most of the time we rely on our intuitive mind to make those “quick and dirty” decisions such as fight or flight. If we see a tiger coming from a distance, we don’t need our analytical mind to list all the pros and cons before we know to quickly run away.
This also applies to cybersecurity, and with phishing specifically:
1) We have difficulty perceiving a threat. We may not see the tiger unless we’re aware it could also be in plain sight
2) many of us haven’t harnessed our intuitive thinking to create a habit of spotting and reporting phishing emails
While traditional security training tries to improve our analytical mind’s capacity, it doesn’t focus on sensing and handling dangers intuitively. The difference between what we know – and what we feel, can lead us to make a wrong decision.
Greater phishing awareness from employees can help prevent phishing attacks. One study confirms that those with a deeper understanding of the web environment and how to correctly interpret URLs are less vulnerable to phishing attacks. But the perceived severity of consequences doesn’t predict behaviour. This suggests that education efforts should be trying to increase intuitive understanding, rather than just warning about risk (Downs, Holbrook, & Cranor, n.d.).
Since New Zealand is far away from the rest of the world geographically, we like to think we are better shielded and safer from any physical or virtual attacks. There is also a sense that because we are a smaller ecosystem, the chances of us becoming a target are reduced. Let’s not forget though, we are only ¼ second away from anywhere in the world online!
This illusion may make us even more ill-prepared when disaster strikes. The truth is that we are aligned with the rest of the world when it comes to phishing attacks, which includes our susceptibility, phishing as the primary data breaching method and damage impact of attacks.
Security mindsets are not natural for people, which is why an alarming percentage of employees still fall for a highly effective phishing scam just months after they were trained to watch for it.
Once people are aware of phishing dangers, it is time to build safe email/internet browsing behaviour into habits. We need to harness our intuition and be able to quickly and effortlessly handle most of the phishing attempts.
Habit formation is a powerful means to behavioural change. Scientists have found that habits are formed and operated separately from the part of the brain responsible for memory (Duhigg, 2012). Studies confirmed that we make unconscious choices without having to remember anything about decision making.
Our brains are constantly looking for new ways to form automatic routines. For example, riding a bike or driving a car requires over a dozen separate actions, but we do them daily without a second thought.
How can we leverage habits to avoid phishing attacks with our intuitive mind? By repetition. When we repeat an action enough times, a process known as ‘chunking’ will take place where the brain converts a series of conscious actions into an automatic routine.
The habit process:
1. Cue. A trigger that tells your brain to go into automatic mode and which routine to use.
2. Routine. A physical, mental, or emotional behaviour that follows the cue.
3. Reward. Positive feedback to tell your brain that the routine works well and is worth remembering.
How to form the habit of defending against phishing
Let’s look at the case of checking emails and how we could tweak a routine to protect ourselves.
Security is a vast field. Often, it is mysterious, difficult and confusing. Frequent use of industry jargon among experts and in reports creates a barrier for people to discuss and understand. What is a SOC? What is a botnet? What are the different types of malware we should actually pay attention to? And why are we spending so much money and effort on something that may or may not happen?
Interestingly, people do know about phishing. They may not understand the logic behind it or the term itself, but most are familiar with those annoying emails asking for their details to claim a big prize.
These emails have been around for a long time. One of the first popular phishing emails was the Love Bug in 2000. All around the world, people received emails titled “ILOVEYOU”. https://en.wikipedia.org/wiki/ILOVEYOU
The email body only had a one-liner: “Kindly check the attached LOVELETTER coming from me”. Many were eager to find out whom their secret crush was and opened the attached file. The attachment unleashed a worm which overwrote the victim’s image files and sent a copy of itself to all contacts from the victim’s Outlook address book.
Since the Love Bug phishing almost two decades ago, the tactic and delivering of phishing remains fairly similar. People know all about it, yet still fall for it.
Phishing continues to be one of the most common and effective cybersecurity threats. It accounts for more than 50 per cent of the Office 365-based threats in 2017 (Microsoft Security, 2018). In New Zealand, there was a 55 per cent increase in phishing and credential harvesting in the fourth quarter of 2017 (CERT NZ, n.d.), 76 per cent of organisations say they experienced phishing attacks in 2017 (Wombat Security, n.d.) and, by the end of 2017, the average user received 16 malicious emails per month (Symantec, 2018). These scams cost organisations $676 million in 2017 (FBI, 2017). This begs the question:
How is this still a thing?
We will look at this issue from three angles; what motivates the attackers, why victims fall for it and how organisations perceive their own security programmes.
What motivates attackers:
Phishing is cheap, scalable and easy to carry out. Attackers favour this type of “low-hanging fruit”. An attacker can easily send phishing emails to 10,000 people and even if just 1 per cent click a link, their attack would be successful with 100 people.
A successful phishing campaign is generally the entry point for other attacks. Verizon reported that 92.4 per cent of malware is delivered via email (Verizon, 2018).
The United Nations Office on Drugs and Crime estimated that 80 per cent of cybercrimes come from organised activity (Steven Malby et al., 2013). Most organisations can’t expect employees to compete with organised criminals and be vigilant 100 per cent of the time.
Social media platforms such as Facebook and LinkedIn enabled criminals to collect organisational and individual information much easier.
Why victims fall for it:
There is still often a lack of awareness of phishing as a vector of compromise (Downs, Holbrook, & Cranor, n.d.).
Today’s ubiquitous technology creates constant interruption and leads to habitual multitasking. Both behaviours are linked to more frequent risky behaviours (Murphy & Hadlington, 2018). Especially for jobs that are multitasking in nature such as call centre staff.
Clicking on links provided in emails is part of everyday behaviour. Some may require us to log in with credentials. By targeting this process, legitimate looking phishing attacks often catch us when we are not fully paying attention (CERT NZ, n.d.).
Spotting phishing emails is not always a straightforward task, especially when it comes to the well-researched and targeted “spear-phishing” email.
It is no longer about spotting bad grammar and spelling mistakes. Instead, malicious emails are often polished, even exceeding employees’ copywriting skills. They would look like they are from an organisation or person that you trust and recognise.
We are optimistic. The optimism bias is an age-old human trait essential to our well-being. The optimism bias in cybersecurity, however, causes problems. For example, the mentality of “no one is interested in attacking me”. Due to the optimism, we tend to underestimate risks and engage unnecessarily in overly risky behaviours. When we receive emails designed to infect our machine with malware, we don’t necessarily treat them with the suspicion and wariness they deserve.
Here’s why organisations fall for it:
This same optimism bias also applies at the organisational level.
One PwC (2018) report found that executives were overconfident in the robustness of their security initiatives. Some 73 per cent of North American executives believed their security programmes were effective.
Organisations often opt for a “tool-first” approach. While tools are necessary, investing in technology before people can be troublesome. Spending millions on technology can certainly make you feel safe. However, cyber threats often aren’t technological driven but are a result of how human brains work. Our curiosity, ignorance, apathy, and hubris are often our vulnerabilities (Dante Disparte & Chris Furlow, 2017). So balancing technological measure with human-centred defences is crucial to preparing and preventing future cyber-attacks.
Investing in people could be more ambiguous than investing in tools. A sceptical executive could ask reasonably what the ROI on developing a training programme was – and question the value of taking people out of their regular jobs to get trained.
Phishing on steroids today
Email continues to be the most common vector (96 per cent) for phishing attacks (Verizon, 2018). Recently, the scam has spread to social media, messaging services and apps.
With the rise of social media, phishing attacks are now on steroids, since it has become so much easier for attackers to harvest personal information and compose more legitimate or tailored email (spear-phishing). Social media also becomes a phishing channel.
People are more likely to click on a link from their friends or families. It means that when an attacker harvests one social network credential, they can easily reach out to new “friends and families” and compromise even more accounts through the wonders of the network effect.
Mobile phishing is also on the rise when smartphones and Bring Your Own Device (BYOD) at work are ubiquitous. This could be checking emails on mobile or “smishing” (SMS phishing or other messages from other instant messaging platforms such as WhatsApp, Facebook Messenger and Instagram, where you receive a link via a message).
There is an 80 per cent increase every year since 2011 of people falling for phishing attacks on mobile devices (Lookout, n.d.). Our devices are often connected outside of traditional firewalls and so have less protection. Lookout reported that 56 per cent of its users received and tapped on a phishing URL while on a mobile device. Attackers will no doubt continue to leverage new and popular services as they become available to break this human defence line.
Building a “human firewall”, making New Zealand digitally safe
Datacom’s goal is simple – to make New Zealand digitally safe.
The National Plan to Address Cybercrime clearly states that New Zealand businesses, other organisations and the overall economy would be affected if our nation fails to develop the capability to address cyber-attacks (Department of the Prime Minister and Cabinet, 2015).
Experts believe we are experiencing the beginning of the next “cyber-arms race”. While continuous investment in defensive security, e.g. protecting our strategic infrastructure and electricity grid, is undeniably important; the overall growth of cybersecurity awareness among every one of us is equally critical for our national cyber defence. After all, we’re connected now more than ever – each of us is either part of the problem or part of the solution. The worst-case scenario would become even worse when we start living in smart cities with self-driving cars, surrounded by a myriad of Internet of Things devices. We cannot slow down the rate of technological innovation, and so we must speed up our collective preparedness.
In this series, we look at strengthening the “human firewall” from three different perspectives :
In part 1, we explore the “Why”. Why do we fall for phishing attacks from a psychological perspective, and how could we form and change our habits to protect ourselves and our organisations?
In part 2, we look at the “What”. Given the difficulties around defending against phishing from the human perspective alone, what are the components of a multi-layered defence system that can increase organisational resilience?
In part 3, we investigate the “How”. Specifically, how could we effectively run user awareness training and phishing simulations, and how do we balance “the carrot and stick”?
Murphy, K., & Hadlington, L. (2018). Is Media Multitasking Good for Cybersecurity ? and Everyday Cognitive Failures on Self-Reported. Cyberpsychology, Behavior, and Social Networking, 21(3), 168–172. https://doi.org/10.1089/cyber.2017.0524