If I were to ask you to list your top security threats, how would you respond? No doubt many would mention cybersecurity, seemingly the hottest topic at banking conventions, forums and with examiners. A Google search for "top cybersecurity threats" produces lists like these:
- Machine-to-machine attacks, headless worms, jailbreaking the cloud, ghostware and two-faced malware (http://www.cnbc.com/2015/12/28/biggest-cybersecurity-threats-in-2016.html)
- Extortion Hacks, Attacks That Change or Manipulate Data, Chip-and-PIN Innovations, IoT Zombie Botnet, More Backdoors (http://www.wired.com/2016/01/the-biggest-security-threats-well-face-in-2016/)
- IoT: The Insecurity of Things, Sophisticated DDoS Attacks, Social Media attacks, Mobile Malware, Third-party Attacks (http://www.pcworld.com/article/2867566/experts-pick-the-top-5-security-threats-for-2015.html)
Some of the aforementioned items might be in your own list and, like me, you may not even be familiar with some of these threats. How would you answer if I rephrased the question: "What is your weakest link in security?"
You Are The Weakest Link!
Well, YOU may not be the weakest security link but your employees probably are. In a CIO.com article aptly named "People Remain the Weakest Link in Security," Graham Welch makes this statement: "People are largely trusting in nature. If you get an email from a friend, family member or work colleague with a link, we tend to think it is genuine and trust the content. Yet again we know that cybercriminals can easily mock up an email reportedly from an acquaintance to fool us into believing it to be genuine."
One of the particularly maddening things fraudsters exploit is the fact that banks sell trust and your employees are good, friendly, trusting people by nature of your helping profession. Of course, social engineering is defined as the clever manipulation of the natural human tendency to trust. However, after two decades of ever-evolving phishing emails…from the early emails from Nigerians desperate for your assistance and willing to pay exceedingly handsomely for it to the latest, hard-to-discern-from-genuine, malicious link or attachment-laden versions…one might assume employees would now recognize these schemes. For their own sake, if not for the bank's. But, Welch goes on to say, "It seems people cannot stop themselves clicking on links they receive in emails without even the most cursory check on whether it is a valid link or not. It is an easy step often overlooked that you hover your mouse over the link and see what web address it is trying to send you to."
2015 Social Engineering Test Results
The following statistics are drawn from more than 200 external penetration tests conducted in 2015. Historically, most financial institutions have conducted only annual security awareness training and those who tested the effectiveness of their training also generally only did so annually. An analysis of these social engineering test results confirmed what I observed for almost 8 years as an IT auditor: Annual training/testing is not effective enough.
In 2015, failure rates for social engineering tests ranged from a low of 14.5% (employees clicked on an email phishing link) to 31% (employees downloaded a file after being prompted via a phone call)! Furthermore, there was almost no difference in failure rates between small and large financial institutions:
- Financial Institutions with assets under $250M – 24% average failure rate
- Financial Institutions with assets $250M-$750M – 23% average failure rate
- Financial Institutions with assets over $750M – 23% average failure rate
This was particularly surprising because one might have expected smaller banks to do better than larger banks (fewer numbers of employees to train and probably lower turnover) or larger banks to do better than smaller banks (more resources for training, possibly a bigger target than smaller banks). The point is…everyone is performing equally poorly, because a single failure on a real social engineering attack is too many.
Now What?
Welch concludes his article by saying, "People are no doubt the soft underbelly of any organization, and through education and awareness we can try to limit their ability to compromise network security."
Banks must cultivate a culture of security awareness rather than relying upon a single annual security awareness presentation or training course. Many banks have begun sending monthly emails, integrating short presentations about security awareness into morning meetings, sharing (sanitized) genuine phishing emails that sneak through their spam filters and distributing interesting articles online and in bank association magazines. Additionally, banks should engage a competent external penetration-testing firm for security awareness/social engineering testing at least annually. And, thanks to a relatively new type of software, banks can now augment their external security awareness testing by sending their own phishing emails. This software allows banks to easily and economically test employees' security awareness AND immediately train users who fail the test.
So, promote a security awareness culture and consider phishing your own employees so they'll better recognize a fraudster's phishing attack.
Keith Laughery is an Account Manager for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing and Tandem – a security and compliance software suite designed to help financial institutions with GLBA and other regulatory compliance. Read about our newest Tandem Software solution, Tandem Phishing, at https://conetrix.com/Tandem#Phishing or contact Keith at klaughery@conetrix.com or 800-356-6568.