Guest Column | October 15, 2021

Helpful Or Headache: Using Internal Testing To Improve The Cybersecurity Defenses Of An Organization

By Jon Clemenson, TokenEx

Security Training

It’s October once again, and that means it is National Cybersecurity Awareness month. As we explore this year’s themes, first up is “Fight the Phish.” Arguably, phishing, smishing, spear-phishing and other similar attacks have historically been wildly successful for hackers at causing unsuspecting users to give up valuable sign-on credentials and passwords. These security missteps consequently leave troves of sensitive personal and corporate data vulnerable to theft. To halt this still-too-frequent practice, organizations can implement regular internal testing to ensure executives, employees and security teams are not just aware of the threat of phishing tactics but prepared to identify and avoid them in the workplace and at home.

As we know, the most successful breaches still result from a successful phishing attack. According to Verizon’s 2021 Data Breach report, 85% of breaches involved some form of human element and 35% involved social engineer including various forms of phishing. I consider it one of my responsibilities to prevent my organization from contributing to a similar statistic. As a cybersecurity company, we keep a monthly cadence to this practice. However, some companies may only do this once per year. I would argue that every organization must prioritize security awareness. One way to do that is by performing an internal phishing test and using that data as a baseline to inform your future awareness campaigns. But regardless of frequency, the priority should be sharing the right information with the right people at the right time to improve security outcomes.

Regular security awareness training is an important tool when educating users about phishing schemes to help keep our people sharp and vigilant to evolving threats. The key to good awareness training is creating opportunities that showcase relevant topics in bite-sized chunks, are engaging and incorporate examples and data points that apply directly to the organization. Regular awareness training is critically important and useful in preventing attacks and maintaining a strong, defensive posture. By encouraging employees to maintain focus on proactive cyber hygiene, it can only protect and benefit the business.

Focusing on continual improvement means measuring the effectiveness of your security awareness training program. Exposing that data to users presents the phishing risk in a tangible way. One potential option for an organization could be to add the previous months phishing statistics (how many attack, what did they look like, how many clicks, etc.) to the training. Surfacing metrics and making the data transparent highlights the risk and makes it visible, which can go a long way when avoiding a ‘check the box’ type of mindset to awareness training.

When respect to phishing and cybersecurity, it’s easy to become complacent, but regular awareness training for everyone is the key to avoid making assumptions that increase organizational risk. For example, because humans are inherently trusting, they can be especially susceptible to phishing attacks designed to appear as messages from coworkers. So, this annual month of cybersecurity awareness serves as a great reminder for people to always check the veracity of messages, links, or unusual requests from those they work with.

However, as remote work becomes the new normal, the lines between our personal and professional lives continue to blur. With that, an important aspect of cyber hygiene is encouraging people to take active control of their own internet identity outside of work. This month is a great reminder to take inventory of the apps you use daily. Take time to review the privacy settings on each and review and clean up the data you share online. This is a great way to shore up data that malicious actors use against you (and your employer) when scraping websites for open-source intelligence.

As we move through another iteration of National Cybersecurity Awareness this month, recent breach and ransomware events remind us of the constant evolution of our cyber enemies, as well as the sophisticated tools they use to level their threats. A mature posture will combine a variety of security methods using technologies like encryption to scramble sensitive data or tokenization to remove it entirely from the enterprise, taking with it the risk and liability that often costs businesses dearly in a data exposure.

Because these ever-changing methods have spurred a near-constant creation of prevention or protection methods, it can be difficult to determine where to begin. More frequent internal testing and training to identify an organization’s blinds spots can be helpful, but overall, we must resolve to learn from past incidents and failures to improve our practices and prevention methods.

About The Author

In his role as TokenEx’s information security practice lead, Jon Clemenson combines a focus on quantifying and improving our security posture with a passion for automation. With 15 years of results-driven leadership experience in the tech industry and federal government, he considers security a team sport and enjoys tackling problems from a learn-it-all perspective.