With increasing requests from clients regarding their cybersecurity controls, companies are looking to us to help in a number of areas, with questions about written security policies, vulnerability and penetration testing, risk assessments, and security awareness training. These questions and concerns, which were mainly targeted towards large companies are now also crucial for small and medium-sized businesses.
In addition to the previously mentioned topics, clients are looking to see that companies have certain security tools in place such as:
Multi-Factor Authentication (MFA): MFA is a keyway to provide an extra layer of security to prevent hackers from accessing your system. MFA is when an alternate means of identification, in addition to a password is necessary to log in.
Endpoint Detection and Response (EDR): EDR is a cyber security solution that continuously monitors, collects data, and responds to help mitigate cyber threats.
Backup: Companies should be sure to include multiple forms of backup with at least one stored off-site. Backups should also be regularly tested to ensure they can be restored as needed.
Patching: Patches are software and operating updates that help address any vulnerabilities and keep your system up to date.
If your company is getting overwhelmed by client requests about your security posture, you are not alone. If you think your current measures may not be up to par or do not have the time, Designed Privacy created a program that provides you with a guide to cybersecurity and the tools you need to keep your company and your clients protected and stay competitive.
This Fall, the personal health information of over 170,000 dental patients was exposed in a data breach associated with the Professional Dental Alliance, a network of dental practices affiliated with the North American Dental Group. According to the Professional Dental Alliance, patient information was exposed due to a successful phishing attack against one of their vendors, North American Dental Management. The phishing campaign gave attackers access to some of NADM’s emails, where the personal information of patients were apparently stored.
While the Professional Dental Alliance has said their electronic dental record system and dental images were not accessed, an investigation found that the protected health information of patients such as names, addresses, email addresses, phone numbers, insurance information, Social Security numbers, dental information, and/or financial information were accessed by the attackers.
These incidents reveal just how vulnerable professionals can be against cybersecurity attacks and data breaches. One of the reasons for this is because many professionals are small businesses who don’t have the time or expertise to deal with everything that goes into cybersecurity. So, many professionals rely on vendors and associations to ensure they are protected. The issue is, if those vendors and associations experience a breach, professionals are also at risk.
To keep their patient information safe, it’s vital that dental offices and all professional businesses pay attention to some of the human risks that can lead to cybersecurity incidents. The attack this week, for instance, was the result of a phishing attack that tricked an employee into handing over account credentials. Here are a few things all professionals can easily do on their own to stay secure:
Endpoint detection and prevention
Endpoint detection and response (EDR) is a type of security software that actively monitors endpoints like phones, laptops, and other devices to identify any activity that could be malicious or threatening. Once a potential threat is identified, EDR will automatically respond by getting rid of or containing the threat and notifying your security or IT team. EDR is vital today to stay on top of potential threats and put a stop to them before they can cause any damage.
Using multi-factor authentication (MFA) is a simple yet powerful tool for stopping the bad guys from using stolen credentials. For example, if an employee is successfully phished and the attack gets that employee’s login information, having MFA in place for that employee’s account can stop the attacker from accessing their account even if they have the right username and password. If possible all users accessing your system should have multi-factor authentication set up for all of their accounts. At minimum, however, it is extremely important that every user with administrative privileges use MFA, whether they are accessing your network remotely or on-premise.
Hackers are constantly looking for vulnerabilities in the software we rely on to run our businesses. All those software updates may be annoying to deal with, but they often contain important security features that “patch up” known vulnerabilities. At the end of the day, if you’re using out-of-date software, you’re at an increased risk for attack. It’s therefore important that your team stays on top of all software updates as soon as they become available.
Having a backup of your systems could allow you to quickly restore your systems and data in the event of an attack. This is especially important if you are hit by ransomware, in which the attackers remove your data from your networks. However, it’s essential to have an effective backup strategy to ensure the attackers don’t steal your backups along with everything else. At minimum, at least one backup should be stored offsite. You should also utilize different credentials for each copy of your backup. Finally, you should regularly test your back-ups to ensure you will be able to quickly and effectively get your systems online if an attack happens.
Security Awareness Training
As this latest data breach shows, phishing and social engineering attacks are common ways attackers gain access to your systems. Unfortunately, phishing attacks are not something you can fix with a piece of software. Instead, its essential employees are provided with the training they need to spot and report any phish they come across. Sometimes it only takes one wrong click for the bad guys to worm their way in.
A recent article in The Wall Street Journal highlights some of the big changes that businesses have made to their employee training programs since the start of the pandemic. Typically, these trainings are formal, multi-hour in-person meetings. According to Katy Tynan, research analyst at Forrester Research, “formal, classroom-delivered training was easy to plan and deliver, but organizations didn’t always see the intended results.” Once the pandemic came along, trainings moved online and offered fun, informal bitesize trainings that employees take overtime. These changes to classical training programs echo many of the behavior-design principles that we incorporate into our cybersecurity awareness training.
Let’s break down some of the key changes the Journal article discusses and how they related to behavior-design principles:
1. Keep it Simple
Instead of hours-long trainings, businesses are starting to break down their trainings into small pieces for employees. In behavior-design terms, this represents an important element towards creating change: making sure users can easily do what we are asking them to do. Simply put, you can’t throw a ton of information at someone and expect them to keep up with it all. What’s more, employees will be a lot more willing to go through with a training if they know it will only take 5 minutes instead of 5 hours. Keeping trainings short and easy to do are therefore important steps towards ensuring that your desired outcome aligns with your employees’ abilities.
2. Consistency is key
Most traditional training programs are a one-and-done deal. Once it’s over, you never have to worry about it again. However, this is exactly what we don’t want employees to take away from training. Instead, consistency is key for any changes. With short lessons, employees can go through the program in small, daily steps that are easy to manage while also keeping the training in their mind over an extended period of time.
3. Make it Interesting
The final piece of the behavioral puzzle is ensuring that employees actually want to do the trainings. Most traditional training programs may involve some small group discussions, but overall employees are shown videos and made to listen to someone talk at them for long periods of time. Employees are only taking in information passively. Instead, trainings should be fun, interesting, and engaging to keep users coming back for more.
The pandemic has brought about so many changes to our lives. While some of the changes have been for the worse, it’s also forced us to start thinking differently about how we do things and come up with creative solutions. The new trend in training programs is one such change. And what makes these changes so successful is the way it incorporates some of the basic behavior-design principles. This is an approach we’ve taken when we developed The PhishMarket™, our cyber awareness training program. By offering engaging and interactive 2-4 minute lessons given daily over an extended period of time, our program has shown success in reducing employee phish susceptibility 50% more than the industry standard.
Earlier this week, the trading app Robinhood announced a data breach in which a mixture of email addresses and full names of 7 million of their users were stolen. It is still unclear what impact this may have for Robinhood’s entire userbase. However, at the very least, this breach could provide attackers with enough information to carry out phishing and other social engineering attacks against those whose data was stolen. While on the face of it, this may appear to be your standard data breach, a closer look reveals how human factors lead to the breach.
While we don’t have all the details yet, according to Robinhood’s statement, the attack was carried out after someone called the company’s customer support line and tricked an employee into handing over access to “certain customer support systems.” From there, the attack was likely able to access customer information or gain additional access to other parts of Robinhood’s network. This form of attack is commonly known as a “vishing” attack, in which the attacker impersonates someone over the phone rather than through a traditional phishing email.
This form of attack is not uncommon and highlights a number of key questions that business leads need to consider when it comes to digital risk. First, it’s important to take a broad view of all the different avenues attackers could use to gain access to your systems. While your customer support channels may not come first to mind, any outward-facing platforms can pose a risk. Second, business leaders and their employees need to start thinking about how their own digital behaviors can be leveraged against you. Traditional security awareness programs do a good job at explaining issues and in some cases testing for the presence of negative digital behaviors. But, to start to see real change, security awareness training needs to focus on designing for the positive, more secure behaviors that are strong enough to override the bad online habits we develop.
Any way you cut it, the Robinhood data breach is yet another example that highlights the vital importance of taking a human-factored approach to cybersecurity. Business leaders need to actively invest in not just security tools, but also in training and controls that help employees understand human factors threats and what they need to do to ensure they don’t fall for social engineering scams.
In many cases, our employees are our first line of defense against cyber-attack. However, for employees to start developing habits that are in line with cybersecurity practices, it’s essential business leaders need to understand effective strategies for getting these habits to stick. One of the main tenants of behavioral science is that the new habit you want to see needs to be easy to accomplish.
Ideally, you and your IT team can put in place effective cybersecurity controls that make developing secure habits easier for your employees. But what happens when these security features make it more difficult for users to perform the positive and secure behaviors you want to see?
This is the topic of new research on cybersecurity risk management and behavior design. In “Refining the Blunt Instruments of Cybersecurity: A Framework to Coordinate Prevention and Preservation of Behaviors,” researchers Simon Parkin and Yi Ting Chua highlight the importance of making sure that cybersecurity controls that limit malicious or negative behaviors don’t also restrict the positive behaviors your employees are trying to accomplish. For example, it’s common practice for companies to require their employees to change their passwords every few months. However, not only does this put the burden on employees for keeping their accounts secure, research has shown that users who are required to create new passwords frequently tend to use less and less secure passwords over time. While you may think having employees change their passwords will help keep your network more secure, doing so might actually have the opposite effect.
To ensure security controls aren’t restricting users from engaging in positive behaviors, Parkin and Chua emphasize the need to more precisely target malicious behaviors. To do so, they outline three steps business leaders and IT teams should take to more precisely define their cybersecurity controls.
1. Create a system to identify positive behaviors
To ensure you are preserving the positive behaviors your employees are doing, you first have to figure out how to track those behaviors. Unfortunately, it can be a lot easier to identify behaviors you don’t want to see, than those you do want to see. An employee clicking a malicious link in an email address, for example, can be identified. But, how do you identify when an employee doesn’t click the link in a phishing email? One solution is to give users access to a phish reporting button direct within their email client.
Whatever you decide, it’s essential to both identify the positive behaviors you want to see and create a system to track when those behaviors are used by employees.
2. Find linkages between negative and positive behaviors
Now that you can track both positive and negative behaviors, the next step is to look at your security controls and identify possible linkages between the negative behavior the control is defined to restrict and positive behaviors you want employees to engage in. If a control affects both positive and negative behaviors, there is a linkage the control is creating — a linkage you want to break.
3. Better define controls to prevent negative behaviors and promote positive behaviors.
Once you’ve identified linkages between positive and negative behaviors, the next step is to find ways to ensure your controls are only affecting the negative behaviors. For example, instead of requiring users to create new passwords every few months, system monitoring tools can be used to detect suspicious activity and block access to a user’s account without the user having to do anything.
At the end of the day, if the habits you want your employees to form aren’t easy to accomplish, it’s not going to happen. And it’s definitely not going to happen if your security controls are actively making things harder for your employees. It’s essential for you and your IT team to take the time to review your current controls and actively identify ways to maintain your security without affecting your employee’s ability to form secure habits at work.