Can Employee Personalities interfere with Security?

Can Employee Personalities interfere with Security?

A company’s employees can often be seen as a weakness in terms of cybersecurity. In fact, according to the Verizon Data Breach Investigations report, 3 out of the top 5 threat actions involve human risk.  We all have biases in our thinking that can create risky behavior.  Some even argue that there is a connection between employee personalities and security.

The traits with the highest correlation to information security behavior (positive or negative) are risk taking, openness, agreeableness, and conscientiousness. For example, employees who score high on conscientiousness are less likely to engage in risky behaviors and vice versa. Employees who are natural risk takers and tend to engage in sensation-seeking activities may take chances when it comes to security.

Personality tests like Meyers-Briggs and DISC, have been used by organizations for screening and training purposes for years.  How should an organization use these tests for cybersecurity purposes?   There are no definitive answers, but here are a couple of thoughts:

  1. Build processes that create healthy behaviors. Well documented procedures for systems administration or development with a solid change management process, automated testing tools and peer review are an example of methods to ensure that proper behaviors are deployed consistently and minimize non-compliance. Pilots with decades of experience still use checklists to inspect planes, take-off, land and taxi;  your IT team should as well.
  2. Install tools that minimizes impact of non-compliance. Tools such as Multi-factor authentication, email and web filters and endpoint detection and response (EDR) can go a long way to mitigate non-compliant employee behavior.
  3. Conduct role- and behavior-based security awareness training. Best practice security awareness training states that an organization should provide security awareness training particular to the role the individuals plays in the organization. Consider paying particular attention to training those with non-compliant tendencies.
  4. Ensure that there are proper incident response procedures in place. Even with a fully “compliant” staff from a cybersecurity perspective, stuff happens. Make sure you have a solid incidence response plan and are testing it on at least an annual basis.

Finally, the most important area the organization should focus on is leadership and governance. Spend some time thinking about the personality of the organization’s culture and how it can positively or negatively impact risk behavior. Remember, people will tend to mimic the leadership’s style in everything they do, including cybersecurity behavior. Whether that’s a good thing or not, is up to you.

Dental Data Breach Caused by Vendors and Human Risks

Dental Data Breach Caused by Vendors and Human Risks

This Fall, the personal health information of over 170,000 dental patients was exposed in a data breach associated with the Professional Dental Alliance, a network of dental practices affiliated with the North American Dental Group. According to the Professional Dental Alliance, patient information was exposed due to a successful phishing attack against one of their vendors, North American Dental Management. The phishing campaign gave attackers access to some of NADM’s emails, where the personal information of patients were apparently stored.

While the Professional Dental Alliance has said their electronic dental record system and dental images were not accessed, an investigation found that the protected health information of patients such as names, addresses, email addresses, phone numbers, insurance information, Social Security numbers, dental information, and/or financial information were accessed by the attackers.

This is not the first time dental offices have found themselves the target of a data breach. In 2019, a ransomware attack against a managed service provider resulted in the exposure of patient information from over 100 Colorado dental offices. A year later, the information of over 1 million patients was exposed after an attack against the Dental Care Alliance.

These incidents reveal just how vulnerable professionals can be against cybersecurity attacks and data breaches. One of the reasons for this is because many professionals are small businesses who don’t have the time or expertise to deal with everything that goes into cybersecurity. So, many professionals rely on vendors and associations to ensure they are protected. The issue is, if those vendors and associations experience a breach, professionals are also at risk.

To keep their patient information safe, it’s vital that dental offices and all professional businesses pay attention to some of the human risks that can lead to cybersecurity incidents. The attack this week, for instance, was the result of a phishing attack that tricked an employee into handing over account credentials. Here are a few things all professionals can easily do on their own to stay secure:

Endpoint detection and prevention

Endpoint detection and response (EDR) is a type of security software that actively monitors endpoints like phones, laptops, and other devices to identify any activity that could be malicious or threatening. Once a potential threat is identified, EDR will automatically respond by getting rid of or containing the threat and notifying your security or IT team. EDR is vital today to stay on top of potential threats and put a stop to them before they can cause any damage.

 Multi-Factor Authentication

Using multi-factor authentication (MFA) is a simple yet powerful tool for stopping the bad guys from using stolen credentials. For example, if an employee is successfully phished and the attack gets that employee’s login information, having MFA in place for that employee’s account can stop the attacker from accessing their account even if they have the right username and password. If possible all users accessing your system should have multi-factor authentication set up for all of their accounts. At minimum, however, it is extremely important that every user with administrative privileges use MFA, whether they are accessing your network remotely or on-premise.

Patching

Hackers are constantly looking for vulnerabilities in the software we rely on to run our businesses. All those software updates may be annoying to deal with, but they often contain important security features that “patch up” known vulnerabilities. At the end of the day, if you’re using out-of-date software, you’re at an increased risk for attack. It’s therefore important that your team stays on top of all software updates as soon as they become available.

Back-ups

Having a backup of your systems could allow you to quickly restore your systems and data in the event of an attack. This is especially important if you are hit by ransomware, in which the attackers remove your data from your networks. However, it’s essential to have an effective backup strategy to ensure the attackers don’t steal your backups along with everything else. At minimum, at least one backup should be stored offsite. You should also utilize different credentials for each copy of your backup. Finally, you should regularly test your back-ups to ensure you will be able to quickly and effectively get your systems online if an attack happens.

Security Awareness Training

As this latest data breach shows, phishing and social engineering attacks are common ways attackers gain access to your systems. Unfortunately, phishing attacks are not something you can fix with a piece of software. Instead, its essential employees are provided with the training they need to spot and report any phish they come across. Sometimes it only takes one wrong click for the bad guys to worm their way in.

Changes to Employee Training Align with Behavior-Design Principles

Changes to Employee Training Align with Behavior-Design Principles

A recent article in The Wall Street Journal highlights some of the big changes that businesses have made to their employee training programs since the start of the pandemic. Typically, these trainings are formal, multi-hour in-person meetings. According to Katy Tynan, research analyst at Forrester Research, “formal, classroom-delivered training was easy to plan and deliver, but organizations didn’t always see the intended results.” Once the pandemic came along, trainings moved online and offered fun, informal bitesize trainings that employees take overtime. These changes to classical training programs echo many of the behavior-design principles that we incorporate into our cybersecurity awareness training.

Let’s break down some of the key changes the Journal article discusses and how they related to behavior-design principles:

1. Keep it Simple

Instead of hours-long trainings, businesses are starting to break down their trainings into small pieces for employees.  In behavior-design terms, this represents an important element towards creating change: making sure users can easily do what we are asking them to do. Simply put, you can’t throw a ton of information at someone and expect them to keep up with it all. What’s more, employees will be a lot more willing to go through with a training if they know it will only take 5 minutes instead of 5 hours. Keeping trainings short and easy to do are therefore important steps towards ensuring that your desired outcome aligns with your employees’ abilities.

2. Consistency is key

Most traditional training programs are a one-and-done deal. Once it’s over, you never have to worry about it again. However, this is exactly what we don’t want employees to take away from training. Instead, consistency is key for any changes. With short lessons, employees can go through the program in small, daily steps that are easy to manage while also keeping the training in their mind over an extended period of time.

3. Make it Interesting

The final piece of the behavioral puzzle is ensuring that employees actually want to do the trainings. Most traditional training programs may involve some small group discussions, but overall employees are shown videos and made to listen to someone talk at them for long periods of time. Employees are only taking in information passively. Instead, trainings should be fun, interesting, and engaging to keep users coming back for more.

The pandemic has brought about so many changes to our lives. While some of the changes have been for the worse, it’s also forced us to start thinking differently about how we do things and come up with creative solutions. The new trend in training programs is one such change. And what makes these changes so successful is the way it incorporates some of the basic behavior-design principles. This is an approach we’ve taken when we developed The PhishMarket™, our cyber awareness training program. By offering engaging and interactive 2-4 minute lessons given daily over an extended period of time, our program has shown success in reducing employee phish susceptibility 50% more than the industry standard.

Your Cybersecurity Controls Might Be Hurting More Than Helping

Your Cybersecurity Controls Might Be Hurting More Than Helping

In many cases, our employees are our first line of defense against cyber-attack. However, for employees to start developing habits that are in line with cybersecurity practices, it’s essential business leaders need to understand effective strategies for getting these habits to stick. One of the main tenants of behavioral science is that the new habit you want to see needs to be easy to accomplish.

Ideally, you and your IT team can put in place effective cybersecurity controls that make developing secure habits easier for your employees. But what happens when these security features make it more difficult for users to perform the positive and secure behaviors you want to see?

This is the topic of new research on cybersecurity risk management and behavior design. In “Refining the Blunt Instruments of Cybersecurity: A Framework to Coordinate Prevention and Preservation of Behaviors,” researchers Simon Parkin and Yi Ting Chua highlight the importance of making sure that cybersecurity controls that limit malicious or negative behaviors don’t also restrict the positive behaviors your employees are trying to accomplish. For example, it’s common practice for companies to require their employees to change their passwords every few months. However, not only does this put the burden on employees for keeping their accounts secure, research has shown that users who are required to create new passwords frequently tend to use less and less secure passwords over time. While you may think having employees change their passwords will help keep your network more secure, doing so might actually have the opposite effect.

To ensure security controls aren’t restricting users from engaging in positive behaviors, Parkin and Chua emphasize the need to more precisely target malicious behaviors. To do so, they outline three steps business leaders and IT teams should take to more precisely define their cybersecurity controls.

1. Create a system to identify positive behaviors

To ensure you are preserving the positive behaviors your employees are doing, you first have to figure out how to track those behaviors. Unfortunately, it can be a lot easier to identify behaviors you don’t want to see, than those you do want to see. An employee clicking a malicious link in an email address, for example, can be identified. But, how do you identify when an employee doesn’t click the link in a phishing email? One solution is to give users access to a phish reporting button direct within their email client.

Whatever you decide, it’s essential to both identify the positive behaviors you want to see and create a system to track when those behaviors are used by employees.

2. Find linkages between negative and positive behaviors

Now that you can track both positive and negative behaviors, the next step is to look at your security controls and identify possible linkages between the negative behavior the control is defined to restrict and positive behaviors you want employees to engage in. If a control affects both positive and negative behaviors, there is a linkage the control is creating — a linkage you want to break.

3. Better define controls to prevent negative behaviors and promote positive behaviors.

Once you’ve identified linkages between positive and negative behaviors, the next step is to find ways to ensure your controls are only affecting the negative behaviors. For example,  instead of requiring users to create new passwords every few months, system monitoring tools can be used to detect suspicious activity and block access to a user’s account without the user having to do anything.

 

At the end of the day, if the habits you want your employees to form aren’t easy to accomplish, it’s not going to happen. And it’s definitely not going to happen if your security controls are actively making things harder for your employees. It’s essential for you and your IT team to take the time to review your current controls and actively identify ways to maintain your security without affecting your employee’s ability to form secure habits at work.

Human Risk Caused the Colonial Pipeline Attack

Human Risk Caused the Colonial Pipeline Attack

Tools such as endpoint detection, anti-malware software, and firewalls play a vital role in protecting from the diversity of cyber threats businesses face today. However, for those tools to work, they need to be properly installed, configured, and updated by people. When considering the human factors of cybersecurity, we often think of social engineering scams. But equally as important is managing human errors. In fact, this form of human risk was exactly what led to the massive Colonial Pipeline ransomware attack earlier this year.

Human risk involves not just what we do, but also what we don’t do. This was the case with the colonial pipeline attack. In June, the CEO of Colonial Pipeline, Joseph Blount, told a Senate Committee that the attack was caused by unauthorized accessed to a virtual private network (VPN) the company had once used and that did not have multi-factor authentication (MFA). MFA is a tool that requires users to verify their login through a second means, such as a text message or email that contains a unique code. Because this VPN did not use MFA, that extra layer of security was missing and the hackers got in unnoticed. The real kicker, however, is that Colonial Pipeline was already using a new VPN with more security features. However, the legacy VPN was still installed on Colonial Pipeline’s systems. According to Blount, the VPN the hackers accessed “was not intended to be in use.” The ransomware attack was therefore a result of someone within Colonial Pipeline neglecting to take the old VPN off of the company’s servers.

Risk, no matter the form, is the result of habits and behaviors. In order to address these issues, we need to create healthy, sustainable habits that limit human risks. They say old habits die hard but creating sustained change is possible if these three elements come together:

1. Keep it simple

When trying to create new behaviors for your employees, it’s vital to break things down into small pieces. Asking questions like “What behaviors do I want to do that will mitigate risk” is a good place to start, but once you have a list, choose one behavior and focus on that. The reason is that people are more likely to do something consistently if it’s simple and easy to do. By focusing on one behavior at a time, your staff is far more likely to follow through than if you give them a whole list of changes you want them to make.

2. Use a prompt

The next part of the equation is creating a prompt that alerts your employee to do the behavior you are designing for. This prompt can take any number of forms, like a scheduled email, a slack notification, or a checklist. When we have a habit, we aren’t actively thinking about having to do it, so when you want to create a new habit prompts will break that automatic thinking and make room for them to incorporate the new behavior you want to see.

3. Provide positive feedback

Lastly, once the new behavior is accomplished, it’s important to follow up with some sort of positive feedback. This helps reinforce the importance of the behavior by helping your staff associate this new habit with a positive feeling, making it more likely they will follow through again in the future.

Using Colonial Pipeline as an example, applying these behavioral principles for their IT could have helped prevent the hackers from gaining access. First, someone in the leadership could have communicated to one member of IT and asked them to take an inventory of applications installed once a month and remove anything that is out of date or no longer in use. Then, a prompt such as a scheduled email could have been created to send to the employee on the first of every month. Finally, the employee could be sent a message thanking them for taking an inventory — they could even create a point or star system that helps employees tally the completed behaviors that Colonial was designing for.

Mitigating human risk is a central aspect of a business’s overall cybersecurity posture. And the key is to create new, healthy behaviors by putting in place a system that helps your employees form new habits in a way that’s simple and leaves them feeling successful.

 

Governing Ransomware Risk for Small Businesses

Governing Ransomware Risk for Small Businesses

By now, you’ve almost certainly heard about ransomware — a form of cyber-attack in which hackers encrypt systems, steal data then demand a ransom payment to end the attack. While ransomware has been around for a while now, attackers have started setting their sights on bigger and bigger targets, gaining international media attention in the process.

But the reason businesses should be paying attention to ransomware is not because big corporations are shelling out millions of dollars in ransom payments. Instead, when you look at the bigger picture, small businesses are the ones who will continue to bear the brunt of these attacks. According to the Secretary of Homeland Security Alejandro Mayorkas, there has been a 300% increase in ransomware attacks in the past year and 50-70% of those attacks were directed against small and medium sized businesses. And while a cyberattack is tough for any businesses to recover from, the threat ransomware poses to small businesses is existential, with 60% of small businesses failing within 6 months of a cyber-attack.

Because the threat is so big and the stakes are so high, governing ransomware risk needs to be a top priority for small businesses. And in order to protect your organization, there are two vital areas that need to be focused on: systems controls and organizational culture.

Systems Controls

1. Endpoint detection and response

Endpoint detection and response (EDR) is a type of security software that actively monitors endpoints like phones, laptops and other devices in order to identify any activity that could be malicious or threatening. Once a potential threat is identified, EDR will automatically respond by getting rid of or containing the threat and notifying your security or IT team. EDR is vital today in order to stay on top of potential threats and put a stop to them before they can cause any damage.

2. Hardening your RDP Ports

Remote Desktop protocol is a tool that allows someone to connect to a computer remotely. This can be useful, but more and more ransomware attackers are using RDP ports to gain access to victims’ systems. Organization that do not actively use RDP should therefore consider disabling the feature or limiting to users and devices that are not connected to public internet.

3. Back-ups

Having a back-up of your systems could allow you to regain access to your data without having to pay the ransom. However, it’s essential to have an effective back up strategy in order to ensure the attackers don’t steal your backups along with everything else. At minimum, at least one backup should be stored offsite. You should also utilize different credentials for each copy of your back-up. Finally, you should regularly test your back-ups to ensure you will be able to quickly and effectively get your systems online if an attack happens.

Multi-Factor Authentication

Lastly, using multi-factor authentication (MFA) is a simple yet powerful tool for stopping the bad guys from using stolen credentials. At minimum, any user accessing your network should be using MFA. In addition, all users with administrative privileges need to use MFA, whether they are accessing your network remotely or on premise.

Don’t Forget Culture

When it comes to governing ransomware risk, the best way to prevent attacks is to focus on creating a culture that incorporates cyber-secure behaviors into every day practices. However, the biggest issue many organizations face when creating a cybersecure culture is sustaining those behaviors overtime. In order to properly govern ransomware risk, behavior change requires 4 essential elements:

1. Consistent Communication

We get it, cybersecurity can be confusing. And as the threat landscape changes, so do our cybersecurity policies. That’s why it’s so important that business leadership consistently communicate with their employees about the behaviors you want to see.

2. Make it Easy

When thinking about the behaviors you want employees to adopt, it’s vital you make these behaviors as easy as possible to do. Everyone is being pulled in a million different directions at once, so if an employee has to take 10 minutes out of their day to figure out how to report a phish, they aren’t going to follow through. If, however, you provide a simple and easy-to-use process, you’re going to have a much easier time getting employees to adopt new behaviors.

3. Help People feel Successful

People want to feel like the work they are doing is making a difference. If they feel like what they are doing just doesn’t really matter all that much, there isn’t going to be much motivation to continue doing it. That’s why it’s so important to help people feel successful when they follow through on the behaviors you want to see. Providing positive feedback, for example, can go a long way towards creating behavior change. If your employees know their work is being recognized and feel it makes a difference, they will be much more likely to keep it up.

4.Walking the Walk

The above three elements for creating sustained behavior change have one thing in common: you. A leadership team can’t simply talk the talk. Change starts at the top and requires you and your leadership team take an active role ensuring these behaviors become a part of the organizational culture and value structure.

 

There’s no doubt that ransomware poses a big threat to small businesses, and the best thing you can do govern the risks of attack is focusing on creating a culture in which cybersecurity is valued and acted upon every single day.