Top security challenges and how to overcome them: Employee training

Welcome to this blog series which highlights the top security challenges organizations are facing and discusses how to overcome them. In this series of five articles, each will target a specific challenge while providing guidance on how to find the method(s) that work for you while meeting your organization’s unique needs to rise above each of the challenges.

Given each organization’s differing needs, requirements, budgetary constraints and regional location, consider the guidance provided here to be less prescriptive (i.e., you need to do this), instead, look at it as listing out the potential options available – alongside their respective strengths and weaknesses – allowing organizations and the administrative teams that support them to develop the security strategy that works best for them while still addressing the threats, attacks and concerns of the modern threat landscape that most impact their business operations, processes, users and of course, data.

In the previous blog, we discussed governance and regulatory compliance challenges. In this second entry, we turn our sights to employee awareness training as it pertains to cybersecurity. Continuing the one-two-three-type of format, we’ll discuss:

• Who is the weakest link in cybersecurity and why?
• Training is critical in defense-in-depth strategies
• The role of organizational policies, regulations and best practices

But first, let’s take a quick look at some security threat trends year-over-year (YoY).

Background: Security threat trends YoY

It really doesn’t matter how awesome your IT and Security teams are, how many solutions an organization is willing to add as part of its security strategy or if there’s an unlimited amount of resources at your disposal. At the end of the day if the organization doesn’t know:

• what threats it's up against
• which resources are being scoped
• who is attacking them
• where it’s coming from
• how they’re being attacked

All the security protections won’t amount to much because they’re not being properly focused to stop the types of threats that the organization is experiencing.

Take for example a finding from the Jamf Security 360: Annual Trends Report for 2023, where “we saw that 8% of users and 21% of organizations were impacted by configuration vulnerabilities.” Or the most common and reigning king of threat types – phishing – continues to be at the top of the threats list year-over-year consistently.

Why you ask? As Jamf has covered before, it’s simple: The minimal level of resources required by threat actors to carry out campaigns compared to the huge rate of success means phishing attacks are the proverbial “low-hanging fruit” of the cybersecurity world. Exemplified clearly by the following finding by Jamf, “9 out of 10 security data breaches happen when bad actors use deceit and scaring tactics to trick employees into providing corporate information or access to corporate data and devices.”

Who is the weakest link in cybersecurity and why?

Sadly, the ever-present constant is the users.

As mentioned previously, a comprehensive plan replete with the latest and greatest security controls still has one glaring hole in its defensive armor: the wearer, or in this case, the end-user when they:

• transmit confidential data over unencrypted networks
• use weak, easy to guess or no passwords at all
• hand over sensitive credentials to anyone
• click on suspicious links or open attachments
• navigate to websites that are not secured
• disable or change secure configurations
• introduce risk by using unsanctioned apps/services for work

And dozens of similar risky behaviors that introduce various other risk factors that only complicate matters when it comes to securing endpoints and safeguarding access to organizational resources and privacy data.

Ironically, this very same weakness also provides organizations with everything they need to know to shore up this type of deficiency in their security strategy. After all, “one of the best defensive measures is not a security control but an administrative one – cybersecurity awareness training.” – Jamf Security 360: Annual Threat Trends Report

Training is critical in defense-in-depth strategies

Much like how security used to be viewed as an afterthought in IT, the tide is changing for security awareness training as well. Given the pervasiveness of defense-in-depth (DiD) strategies for security that look to layer various solutions. Different types of security training, like social engineering training, for example, represent an additional solution that gets folded into the strategy or net that can “catch” threats through any of the multiple levels of protection.

A critical benefit – dare some might say “superpower” – that training offers over other controls in the DiD strategy is that when a user has been provided the knowledge to identify and properly respond to threats, the threat can be largely avoided. For example, consider how a phishing attack often relies on some form of communication to be initiated from the bad actor to the victim. Once the message is delivered to the victim, it is up to them to act upon the message. Should they click on the link or perform whichever malicious action is being requested of them, the attack will likely result in success to some degree or another.

Create a culture of security

However, if the end-user ignores the message or better still, reports it using the organization’s reporting workflow, they would have completely side-stepped the threat in the former scenario or not only side-stepped the threat but also alerted administrators that such a threat is present where they may be able to take further action to eliminate the threat for the entire organization, thereby saving others countless users from falling prey to the attack.

In other words, some threats cause the endpoint, user or data to become compromised the moment the attack is carried out. But by having the requisite knowledge base to draw from, stakeholders are able to spot the types of threats that do not deliver the payload until after the victim performs the action attackers are requesting. Thereby preventing the completion of the attack, which would have otherwise compromised the target. The difference is that stopping certain types of attacks is well within the user’s grasp…they only require training to be empowered “to identify new and evolving attacks and take proactive steps to improve their security hygiene — both at work and in their personal lives.”

Security awareness training examples

Below are some examples of how a security awareness training program occurring regularly can generally help stakeholders and those in specific roles to perform their job functions more securely. Also, this ensures that workflows, processes and actions used in the daily performance of job tasks are done with an awareness of the latest threats to minimize risk.

End-users: Staying abreast of the newest threats by receiving regular updates on security trends, like novel attack types, services being targeted, current campaigns and converged threats that see threat actors chaining together several threats as part of a sophisticated attack chain. Additionally, threat intelligence provides stakeholders with known attack patterns and behaviors that may help end-users minimize risk from data leaks or exposure – regardless of whether it occurs on personally- or company-owned devices – and impacts both work and personal data alike.

Developers: The threat landscape evolves so quickly as threat actors develop new, never-before-seen methods to attack stakeholders. This applies to more specialized attack types that target certain roles and/or the tools they rely on to perform their job functions. In recent years, supply chain attacks have been on the rise; this includes exploiting vulnerabilities in third-party systems and code with the aim of injecting malicious code into applications signed by trusted developers in an effort to sneak them past static code reviews, App Stores and generally infect large swaths of devices and organizations globally. Furthermore, as part of the software development lifecycle (SDLC), secure coding practices – especially in light of the growing number of open source targets – have garnered large attention in an effort to further strengthen the security posture of a company and limit data leaks as well as part of a holistic DiD strategy that incorporates security training for developers.

Administrators: IT and Security team members are not immune to security threats. In fact, under certain circumstances, they present a large target as threat actors are quite aware of the elevated permissions users in this group often have assigned to them. Successfully compromising an admin-level credential may require a similar effort to other user types, except the payoff could yield access to a greater number of systems and may extend across the entire infrastructure. Understanding the threats and attacks making the rounds helps all users to stay protected, but for admins with higher levels of permissions and access rights, protecting themselves is table stakes to keeping the organizational network safe for all.

Management: Like the admins above, employees that fall into the management category often make large targets for threat actors but for different reasons. Consider whaling, a type of phishing that specifically targets members of the C-suite, the payoff could mean access to confidential documents, data relating to finance or operations – or any such information that is not deemed for “public distribution”. This includes data that could trigger compliance violations, legal ramifications and even a change in the company’s reputation.

HR/Compliance: Protecting privacy data has also seen its priority elevated in recent times as threat actors are targeting these data types for myriad reasons by criminals such as, extortion to stalking to identity fraud and nation-states targeting journalists, dissidents and geopolitical-related concerns. The list of reasons doesn’t end there and that’s worrisome, especially when this concerns industries that are regulated, meaning issues surrounding data handling, storage and transmission are only part of the equation. Stakeholders that are bound by regulatory governance are increasingly burdened by the threat actors trying to compromise data while balancing it against agencies that regulate protected data.

“While cybersecurity capabilities and awareness seem to be improving, unfortunately the threat and sophistication of cyber-attacks are matching that progress.” – Forbes

Organizational policies, regulations and best practices

According to Jamf and the consensus view shared by other industry leaders in security, “Investing in security awareness training programs for company stakeholders is an important part of a company’s security strategy and should not be overlooked. This means implementing ongoing, versatile training for end users that covers a variety of best practices and educates users on the latest threats that are most likely to affect them.”

As part of any DiD strategy, the key is always to integrate:

• security solutions so that they securely share rich telemetry data
• protections to ensure that they enforce compliance requirements
• organizational policies within the security plan to maintain alignment
• best practices to ensure strong security postures for devices and networks

Lastly, by integrating cybersecurity awareness training into the defense-in-depth strategy, this process serves to iteratively inform the establishment of advanced workflows and to holistically extend features across the infrastructure while keeping endpoints, users and data safe against threats old and new.

“During the past 12 months, 34.5% of polled executives report that their organizations' accounting and financial data were targeted by cyber adversaries. Within that group, 22% experienced at least one such cyber event and 12.5% experienced more than one. Nearly half (48.8%) of C-suite and other executives expect the number and size of cyber events targeting their organizations' accounting and financial data to increase in the year ahead.” – Deloitte