Users are at the centre of the vast majority of successful cyber-attacks and therefore have a critical role to play in your organisation’s security. Learn how to turn one of your biggest security risks into one of your biggest assets.

UserEducation& Awareness

www.littlefish.co.uk

Introduction: Exploiting Weaknesses Among Your Users

At the centre of the vast majority of successful cyber-attacks is a user. Someone who either knowingly, or inadvertently, gives a would-be attacker a foothold within your organisation, opening the door for a compromise to occur.

Users therefore have a critical role to play in your organisation’s security.

It’s essential that your security policy and technologies enable your users to carry out their jobs effectively, whilst contributing to a secure environment. This can be supported by a regular, concise and engaging security awareness programme, delivering security knowledge and engendering a security conscious culture within your organisation.

A Wolf In Sheep’s Clothing

Unsurprisingly, the most common way in which users are exploited by cyber criminals is through social engineering, delivered by email.

This method involves a cyber attacker constructing a fake email which is sent to a user to lure them into performing an action. When the user performs the action, a foothold is created for the attacker. Actions include opening an email attachment that contains malicious code (‘file-based’ attack), or clicking on a link to a malicious website (‘file-less’ attack).

In our cloud-based world in which e-commerce retailers and online banks offer frictionless user experience to increase conversion and task completion, it now feels completely natural to users to click on links and be directed to web browsers, where they are then required to enter credentials.

It is therefore becoming increasingly challenging to combat ‘file-less’ attacks, which prey on users’ sense of ‘normal’ by mimicking a common, second-nature process which involves little user thought.

www.littlefish.co.uk

Technology: Achieving A False Sense Of Security

Many organisations invest heavily in several security technologies, such as anti-virus and gateways, to help protect them against attacks by cyber criminals.

These tools undoubtedly do a lot to help protect organisations from known malicious artefacts, email addresses and websites, but the exponential rate of development by attackers of ever more sophisticated and targeted attacks, makes full detection difficult and sometimes impossible.

With nearly 60% of all global email traffic being made up of spam or malicious email, it is no wonder that some slip through the net of these technologies. In the SANS 2017 Threat Landscape survey, 74% of the reported cyber-threats which compromised systems were delivered by an e-mail attachment or link.

Technology, even with improvements engendered by advancements in AI and machine learning, can only defend against threats which are known or follow a recognisable pattern or trend, but the threat

A Flawed Education

The stale approach of providing security education for new employees at a time when they are overwhelmed with a deluge of information, supported only by a tedious annual ‘refresher’, is widely understood to be unsuccessful and frustrating for employees. The fact that users continue to click on links, enter credentials and open malicious attachments is testament to the ineffectiveness of this approach.

That said, a robust security awareness briefing is important and enables expectation setting from the outset, particularly in relation to user responsibilities.

environment is dynamic and rapidly shifting, with security technology fighting a constant battle to keep up.

So a key component of defence against cyber-attacks is having a cyber aware organisation. This means achieving organisational vigilance, by preparing people for attacks and how to recognise them. Your users could become the best detection tool your organisation has against real threats.

A Fresh Look At User Education &Awareness

Nearly all organisations are investing in user security education and awareness. But almost 60% acknowledge that they need to do more.

We must be more creative in our approach to providing cyber security education, and it makes sense to actively test the success of any education programme to measure the ongoing effectiveness of the content and delivery methods.

The best approach to delivering cyber security education is by providing sharp, focused and relevant information to your users.

The content must be delivered at regular intervals to maintain interest, embedding cyber awareness so it becomes habitual for your employees, not just in the workplace, but also at home. The information must be understandable, actionable and easily digestible to ensure your users;

The Littlefish User Security Education and Awareness service provides this content directly to your end users on a monthly basis, using engaging design and content to help bring the real threats to life.

The content can be adapted to focus on industry-specific threats or align with internal security policies if required. It supports the guidance from NCSC on using education and awareness as part of their ‘10 Steps To Cyber Security’, particularly in relation to maintaining and monitoring an awareness programme for employees.

Regular tests of samples of users are conducted to test effectiveness of the content and delivery methods. Since phishing is the number one cause of security breaches (Webroot threat trends report 2017), this is

www.littlefish.co.uk

the primary focus of regular user testing through fake emails, that are designed to encourage the user into performing various actions mirroring the methods of real cyber attackers.

Users who are tricked into performing an action are redirected to additional education material. This material includes short, easily digestible videos, which help them learn the concepts that would have helped them avoid a successful compromise had the email been a genuine cyber-attack.

Have the information to recognise suspicious or unusual behaviour

Recognise their professional and legal responsibilities

Know how to react to range of cyber situations

Measuring Improvement

This experience is easily measurable both in terms of employees falling foul of the fake phishing emails, and their responses to the educational material through a series of questions.

It also allows improved targeting of future security awareness material, focused on either specific areas of your organisation that are particularly susceptible, or on specific types of phishing attack that have recently proven to be more effective.

As a holistic service this provides a managed, ongoing awareness programme, that equips your employees with the knowledge they need, to make them the most effective threat detection tool your organisation has.

Littlefish Head of Cyber Security Katy Hinchcliffe, is a highly

regarded cyber security leader. With over a decade’s experience

delivering a broad range of cyber security services to enterprise

clients for global IT outsourcer Capgemini, notably managing

the prevent, detect and respond functions on behalf of Rolls-

Royce, Katy is now responsible for developing Littlefish’s Cyber

Security practice.

About The Author

www.littlefish.co.uk

Contact us to learn more about transforming your users into an effective threat warning system:

Littlefish Cyber Security ServicesPrice House, 37 Stoney Street, Nottingham, NG1 1LS

T: 0115 941 5111

E: sales@littlefish.co.uk