Case in point: An employee at a State Department of Revenue recently clicked on a malicious email link, a single act that allowed an attacker to obtain 3.8 million tax returns containing Social Security numbers and bank account numbers. Ultimately it cost over $13 million for the investigation, legal fees and purchase of identity theft monitoring services.
Social engineering attacks have proven time and again that people can often be the weakest link, but security training can turn the average user into a formidable asset. When users know and understand what traps to avoid (for example, untrusted websites and unknown email attachment senders) and what technologies to employ (say, using encryption tools to send sensitive information), the attack surface of the firm is greatly reduced. Savvy users are a key aspect of overall security.
But it doesn’t end with users. System developers need education and training on how to avoid the Common Weaknesses Enumeration/SANS Top 25 Most Dangerous Software Errors. These coding faults, according to CWE and the SANS Institute, are the most widespread and easy to exploit, allowing cyber attackers to take over software and steal your data. Training developers to recognize the vulnerabilities and how to avoid them will make intrusions into your systems less likely. This, in turn, gives customers more confidence in your services and your ability to protect their personally identifiable information.
Executives need special security training, too. They occasionally want to waive or relax security measures for their productivity or their staff’s convenience; however, they are often the most likely targets since they routinely handle the most sensitive information. With the right security training, executives will appreciate and support reasonable security practices both for themselves and their organization.
Security has to be a full team effort and it is not a pick-up game. Network operations defenders have to be constantly vigilant to stay ahead of the threats. If the first time net defenders encounter an advanced threat is during a real attack, they probably will not be successful against it. But, if they have trained against similar scenarios, they will know how to defend your network and systems.
And the training must be ongoing. Today’s workforce depends on their information systems to execute their responsibilities, and these systems are increasingly under cyber attack. Regardless of a corporation’s business domain, there are cyber actors working to harm them. They might be hackers, cyber criminals or identity thieves. Their goals could be disruption, embarrassment, blackmail, or theft of proprietary data. Cyber actors use an array of tactics and tools and are improving their attack methods. As these evolve, so must we adapt and update our defenses and training to stay ahead of the threats.
Affordable investments in security training can prevent significant cost and damage to systems and will also ensure employees understand the consequences of lost or stolen information. We owe it to our board members, our customers, and our employees to protect what we have worked so hard to build: our corporate success and reputation.
Requirement or boondoggle? A boondoggle is a wasteful or impractical activity. What could be more wasteful than suffering the consequences of a cyber attack, losing critical data and damaging your corporate reputation due to insufficient security training?
A knowledgeable, trained workforce will help limit the attack surface from cyber threats and help ensure we protect proprietary information, our customer’s data and successfully execute our corporate mission.
The consequences of a cyber attack are too great to ignore. Sure, you will not be able to stop every cyber attack. But you better know and be able to prevent the most common attacks, know where your greatest risks are and how to manage these risks. Security training throughout the enterprise is a core requirement to keep the trust of your customers and employees, and to protect the firm’s hard earned reputation.
The Missile Defense Agency (MDA) is a research, development, and acquisition agency within the Department of Defense. Our workforce includes government civilians, military service members, and contractor personnel in multiple locations across the United States.