Throughout my years at Social-Engineer, LLC, I have had the pleasure of giving speeches for many different companies. This has enabled me to view cybersecurity through each of their lenses and learn from them. It has also enabled me to help aid in their educational development. Today, we will discuss what I learned and why these speaking engagements and discussions are so important. Along with helping your company strengthen its security posture, this will help all of us gear up for the coming Cybersecurity Awareness Month (CAM).
Awareness of Information
Beneficial security awareness seems to start with the awareness that you can always be more secure. In addition, it includes the awareness of the information that exists about your company online. Acknowledgement of the former benefits your companies and employees. This is because it acts as a motivator to continue increasing your security posture through training, testing, and standard reporting methods. The latter acts as your baseline. Knowing what online information is available about your company and employees online enables you to shift your perspective to how an attacker might utilize that information. This allows you to remove potentially sensitive details, such as vendors you work with, investors, and client names, from publicly available sources. It also enables you to remember how attackers may leverage the information available to them. As a result, you can now be on the guard against pretexts that utilize such information.
Sometimes, though, it can be difficult to shift from the marketing or advertising perspective into the attacker’s perspective, viewing information the way an attacker would. In my speech, Understanding Vishing from the Attackers Perspective, I spend time with clients viewing open-source intelligence (OSINT) on a selected target, and crafting an attack specifically for said target. This helps them to practice the attacker’s perspective. In other words, learning to view information the way the malicious actors do. Because of this, they can then design their personal or companies’ social media to reflect information that they are comfortable with these malicious actors having access to. Again, it all starts with the awareness of what information is available about themselves or their company on the open web.
Reporting Methods
Having standard reporting methods is arguably one of the most important things you can do to keep your company secure.
Imagine the following scenario: Ted gets an email that seems legitimate. He decides to click on the link and log in to the familiar looking company portal with his credentials. After logging in, the page errors out. This feels off to him, so he decides to report this email and his actions to the IT department. Because of this, they can follow up on this threat, change Ted’s credentials, and warn all other employees of this attack. Imagine if Ted had not reported this email, nor even known how to report this email! This threat could have persisted, spreading across the company. This demonstrates how important it is for all employees to not only know when to report a phishing email, vishing call, or smishing attack, but to know the company’s method for reporting such threats.
In speeches given by Social-Engineer, LLC, we work with you to include your company’s reporting methods in our information. This familiarizes employees even further with your standard reporting practices. In the past, I have heard of employees seeing these reporting methods for the first time in my speech! How important it is to ensure that these methods are known and delineated to the proper places.
Positive Reinforcement Model
Recently, I was in a client meeting where a discussion came up regarding reinforcement models, and if positive or negative programs work better. At Social-Engineer, LLC, we strongly believe that positive reinforcement models are the only ones effective for your security programs. Our CEO, Christopher Hadnagy, had the following to say surrounding this:
“Any good parent knows that you are not going to get compliance from your child by humiliating them or speaking down to them. The same goes for our employees. But by using a positive reinforcement model, you create a culture of cybersecurity and foster a powerful team dynamic.”
As an example, imagine if Ted, from our story above, had been reprimanded every time he failed his phishing tests, rather than commended when he passed or reported these tests. Do you think he would have had the confidence to report the phishing email, especially when he had clicked? Likely not. This would only have succeeded in increasing risk for the company. This is one reason why we stress positive reinforcement models to all our clients and readers.
Testing
One thing I have observed across some of what I would consider the more “secure” companies, was that they all had required testing for their employees. This testing was not simply “watch this video” and check a box that you’re “trained.” No, the best testing is hands-on and simulates real phishing and vishing attacks. This is essential for employees to know how to respond to these attacks in real time. You can read and watch videos on vishing all day, for example, without really learning what a real attack may sound and feel like. The benefit of having the experience of shutting down a caller cannot be understated.
I have had the pleasure of firsthand seeing people react when they hear what a professional vishing call sounds like. They are generally surprised, and there is always some awkward laughing in the audience. Why are they surprised? Because these calls sound like normal conversations. It’s incredible to hear what information can be elicited when enough rapport is built!
In Conclusion
In preparation for CAM, be sure to keep the points we discussed today in mind. Knowing what information exists about not only yourself, but also your company, online is vital. Testing and standard reporting methods reinforce the training that you provide or go through. Don’t forget to keep a positive reinforcement model, as this really brings home all the work that you have put in.
Above all, work with employees and your company to prepare for the most productive CAM you can have. Our team can work with you to tailor speeches to your methods, to do OSINT on your company and employees, test employees, or educate on what methods attackers have recently been leveraging. Each of these options can aid in bringing you one step closer to a strong human firewall. Let’s work together to make this the most productive CAM yet!
Written by
Shelby Dacko
Human Risk Analyst
Social-Engineer, LLC