One of the most daunting aspects of trying to improve one’s network security is knowing where to start. With news stories constantly addressing issues about breaches and data leaks, it can feel overwhelming to administrators to know where to begin. Antivirus methods of years past no longer hold the line against the vast amount of threats, and spam filters can only do so much to keep out the well-designed messages of today’s attackers.
My name is Madison Slater, and I am the General Manager at JSCM Group. We are a network and cybersecurity organization located in North Carolina. Our organization has been in business for 20 years, and we have seen nearly every variety of malicious activity you can think of. From ransomware to data leaks, we have worked with countless organizations to review their security and implement fixes wherever possible. We have deployed firewalls, implemented stronger restrictions on wireless network authentication, and redesigned networks with VLANs and proper segmentation through policies. With as much as we have done from the network side, there is always one threat that outweighs everything: users.
Implementing security standards and better equipment is a start, but employees will always be the number one threat to any organization. All it takes is one click from a single user, and a network can be completely crippled by ransomware. This is why JSCM Group has spent years focusing on education. One of the primary ways that a network is breached is through social engineering. By getting a user to click a simple link, an attacker can inject a malicious file onto their computer or obtain their credentials. The user never suspects anything, and the damage is already done.
Over the years I have performed numerous phishing tests against various types of organizations. From school systems, healthcare providers and even MSPs, we have seen users fail these attempts, simply because they didn’t know what to look for. In the case of an MSP that was tested, we were able to get 83% of users to click on a link. This was an organization that was supposed to focus on security, but clearly had not made this a focus with its own employees.
When it comes to employees, the number one way to stop the threat is to test them. Run a phishing test and see how many users fail. It’s only once you know how likely they are to fall victim that you can take action. Once the test is done, train them. Teach them what to look for and let them ask questions. Give them a way to submit suspicious emails to the IT department, and let them know these threats are serious. Then, test them again. Keep testing them on a regular basis. Change the tactic, and make sure you are following through with training users that constantly fail. Employees need to be held accountable, so make sure you have processes in place for dealing with individuals that continue to have trouble identifying the issue.
Many years ago, we ran a phishing test against a healthcare organization. They failed with roughly 50% of their users providing domain credentials. We provided training to the IT department, and over the next year the organization put significant effort into sharing this information with employees. When we tested them the following year, they were down to a 25% failure rate, and have continued to drop in the subsequent tests. Testing and training work, but only if your organization is dedicated to the outcome. If you make it a focus, your user will too.