It will come as no surprise that employee-related security risk is the number one concern in today’s corporate environment. We observe this daily through our incident response service that we offer to our clients with around 90% of all breaches we service having their a root cause related to some type of employee negligence.
Training Programs are Inadequate! Organizations that we continue to survey have a formal training program, however many of these programs are incomplete in terms of content to drive significant behavioural changes and reduce the insider risk. Only 50% of all the companies that we interact with agree that current employee training actually reduces noncompliant and risky behaviours. This is still contradictory as we feel the number to be closer to 30% based on what we observe in terms of actual high risk behaviours detected.
Of the 50% of corporates, their training consists of only one basic training session across all employees. These basic training sessions often do not provide training on the risks that can result in a data breach: 60% confirm that training in their organization does not include phishing and social engineering attacks. Only 45% of courses includes mobile device security, and of these, only 25% of courses include the secure use of cloud services.
Less than half, around 48% of organizations make training mandatory for all employees. Even when mandatory, exceptions are made for certain individuals. Almost 50% of the time, the CEO and senior level executives are not required to take the course.
Additionally, if an employee doesn’t pass a privacy test or do not do well on a training course, 60% do not require any further action.
Very worrying indeed.
And with this in mind, enjoy our roundup of stories for this week…
Why I’m excited about Mimecast’s acquisition of Ataata
Developed by top leadership from the U.S. military, law enforcement and the intelligence community, Ataata is a security awareness training and cyber risk management platform that helps you combat information security breaches caused by employee mistakes.
The acquisition enhances Mimecast's offerings, adding cybersecurity awareness training, risk scoring and real-world simulation attack scenarios to your already potent mix of cyber resilience services.
Did you hear that sound? | Mimecast
Why you and the principle of least privilege matter against emerging threats
Of the many threats we are observing at the moment, one stands out Emotet which at present has a massive surge in the number of attacks against our monitored environments and suggest that you don’t just rely on gateway, antivirus and SIEM security to protect yourself.
So what is Emotet?
This banking Trojan has evolved to become primarily a dropper for other banking trojans such as Trickbot, Zeus Panda Banker, IcedID, Qakbot, and many more.
How is Emotet delivered?
Phishing emails with malicious attachments or links. Its biggest threat: Emotet hijacks victim email accounts to send out these phishing emails, they may appear to come from someone the recipient knows and trusts.
What makes Emotet so dangerous?
Emotet's potent combination of persistence mechanisms and worm-like features results in rapidly spreading, network-wide infections that are difficult to contain and remove.
What to do:
Prioritize preventing infections in the first place by training employees, implementing DMARC, and investing in Endpoint Detection & Response (EDR) (Emotet is polymorphic and can evade traditional antivirus). In addition, put barriers in place to block malware like Emotet from spreading throughout your network. For starters, consider restricting inbound SMB communication between client systems and adhere to the principle of least privilege.
Emotet Epidemic: Infections Costing Orgs Up to $1 Million Per Incident | Barkly Research
The ‘key’ to you and your employees online security
The company says none of its 85,000 employees have been phished since it adopted the keys.
The company began using physical USB-based security keys in early 2017 and since then, none of its 85,000-plus employees have been phished on their work accounts, Krebs on Security reported today. The keys serve as an alternative to two-factor authentication, in which users first log into a website using a password and then must enter an additional one-time code that's usually sent to their phone via text or an app.
The keys don't stop phishing. But even if thieves do get hold of your password, they can't get into your account.
A physical key is the secret to Google employees' online security | Abrar Al-Heeti