Although automated security measures have adjusted somewhat to malicious tactics that continue to exploit various aspects of the pandemic, employees are still eager for new information about how their jobs, their home situations and even political events are still being affected by COVID-19. So, there is still plenty of fertile ground for attackers to take advantage of, especially with the new vulnerabilities specifically targeting organizations that are now working remotely. Employees need to become much more proficient at defending their organizations against cyberattacks.
This quarter, there has been an alarming rise in the average cost of fraud incidents called “Business Email Compromise” (BEC) scams, from $54,000 to $80,000 according to the Anti-Phishing Working group. BEC is a form of cyberattack that impersonates an employee or legitimate business associate in an email message, for the purpose of tricking a targeted worker into making some form of payment to the attacker without them checking for its authenticity. BEC and other types of social engineering attacks are becoming more popular and productive for attackers because employees tend to trust each other and are not aware that they can be easily targeted in this way.
The home office is a battleground tilted in the attackers’ favor
Phishing, BEC and social engineering scams work particularly well on employees who are working from home for several reasons:
- Businesses have not had time to update corporate policies and procedures, and train people on new ones, or on compensating controls they should use during the pandemic
- It is significantly more difficult for anyone to verify co-workers’ locations or statuses when staff are no longer working in the office
- There is a multitude of new and unusual “themes” related to the pandemic or “working from home” that can be used as believable “pretexts” (scam scenarios) to convince employees of the need for them to take some unusual action, such as making a special payment, buying gift cards, etc.
- Employees are in a much different mindset when working from home, often more eager for news about the pandemic or related business issues, and likely more stressed, bored and isolated.
This has become a “perfect storm” for attackers who want to target businesses through their remote workers. They were always able to get a few “wins” in the past using a bit of research and some creative story-telling to hook unsuspecting targeted employees. But now, they have many more possible angles to approach victims, who are, at this point, more likely to fall for a request. Together with many organizations having unclear or out of date corporate security procedures, it’s not surprising that the numbers are rising.
A few of the most common attack scenarios
Here are some of the more reliable types of scenarios, which can be adjusted and “reskinned” by attackers, based on gathering a bit of “open source intelligence” (OSINT) about their targets, or information that might be easily obtainable through searches on Google, Twitter or LinkedIn:
- Help Desk Hell – An employee working at home gets a message from somebody claiming to be from the corporate IT Help Desk, asking for their help in resolving a technical problem. The consequences are usually very costly.
- Gift Card Gaffe – An employee gets a message from a manager or co-worker and is told there is a special event for which some gift cards are needed as prizes. There have been cases where employees have put over $5,000 on their own personal credit card to buy the gift cards, thinking they were helping the organization.
- Invalid Invoice – An accounting employee receives a message from a source they recognize (e.g. senior executive, supplier, etc.) with an urgent request that a payment be made. Without double-checking, employees have been known to send hundreds of thousands of dollars to criminals in one or more transactions before the issue is discovered.
Frustratingly, these attack scenarios can be easily changed by attackers when people and security systems start to recognize them. So, it is important that employees learn to spot the patterns of communication that represent a potential threat, instead of just looking for the specific scenarios.
Simplifying risk models for a remote work environment
With the shift to a mostly remote workforce, the centralized control and consistency of security measures was disrupted. People are working with different devices and different network connections, and they may even be using different workflows than they normally did in the office. Their home environments vary widely in terms of their threat levels and the vulnerabilities that may be exploitable. And most businesses can’t afford to provide the physical and technical security safeguards to each employee that existed in the office environment. So the “attack surface” has grown enormously, with many risk variables now at play.
When there are more variables in the risk model that employees must manage manually, a set of best practice for every organization is to identify categories of risks that employees can handle without being overwhelmed.
Developing risk scenarios as “use cases” for remote workers
To keep security guidance manageable for employees, start with general “use cases” for work that employees do often, or situations they may encounter that could represent risks. Here are a few examples, among many others:
- Unexpected communications or inquiries (might be the beginning of an attack)
- Using personal devices for work (might be infected or may have vulnerabilities)
- Interruptions due to personal events (might leave work information or system exposed)
- Sending/receiving documents or data electronically (channel or recipient may not have proper security)
- Working on important documents (might be accidentally lost or stolen)
Of course, where budget and resources allow, you should be using automated technical controls to address these risks, such as using two-factor authentication (2FA) wherever passwords are typically used, and using virtual private networks (VPN) to protect electronic communications. But at some point, there is no more budget to effectively implement technical safeguards, and employees are literally the “last mile” of security that we must depend on.
From a “security awareness” point of view, the most important objective of a security awareness program is to have employees follow a set of best practices that they can manage on their own, which address the greatest risks remaining, after automated technical controls have been put in place. To do this effectively, it’s often not enough to have defined and published these guidelines. Employees need to understand the use cases or risk scenarios, and to know how to apply the best practices in their own home offices.
Strengthening employee awareness through gamification
Employees are now under a huge amount of stress from personal and business impacts of the pandemic. Asking them to read and follow more guidelines and procedures is likely to result in some backlash, which can make the security initiative less effective.
So, you need to take into account the employees’ mindset can help with gaining employees’ support in securing their home office. Motivating employees to effectively absorb information about risks and new procedures, especially while under stress, requires a new approach that actually disrupts their normal daily habits. Otherwise, they will view this as “just another task” to add to their pile.
You need employees to step back and take notice of something that is not only new and important, but that drives an emotional response for them to take action. Attackers aren’t the only ones who can be persuasive to employees. “Gamification” is a proven method of driving engagement, motivation and knowledge retention. It uses intrinsic and extrinsic rewards for your employees within a specially designed framework to align their interests with those of your organization. According to a recent survey by Learning LMS, 83% of those who receive gamified training feel motivated, while 61% those who receive non-gamified training feel bored and unproductive. Gamification is simply a better way to learn.
Here are the steps to gamifying security best practices for remote workers. You don’t need to do all of these in one session. Each step can be done at a different time. But the focus should continue to be on one type of risk until employees have learned to apply the best practices and are proficient in them.
- Tell multiple stories for each risk scenario that resonate with the employee to get their attention.
- Introduce new terminology and concepts in an interesting and non-stressful way, using puzzles, quizzes and challenges.
- Set up immersive risk exercises related to the stories that are recognizable but have challenging variations. In this context, challenges provide motivation.
- Score employees’ participation and proficiency in a way that lets them measure their own progress and gives them an opportunity to compete with others. This forms the basis of repetition to gain proficiency, and for monitoring for the success of the program.
Practical application of the steps
Implementing the above steps may sound like a large undertaking, especially if the responsibility lies only with the IT team, which is usually tasked with managing security awareness training. However, here are some ways to make this process more manageable and more effective.
- Task HR with key responsibilities in the security awareness process. The responsibility for managing the risks from human vulnerabilities should not lie primarily with the IT team. Yes, they are most knowledgeable about the technologies often used by attackers, but the targets are human, and the vulnerabilities are human.
- Include marketing communications on the team. Marketing people are creative and can help with the story telling and making the medium for communication more visual.
- Work with senior business management to identify and track goals. Set goals for employee proficiency that align with the goals of the business, and that also address the key business risks. This is essential for being able to monitor and report on the success of your awareness program.
- Identify which of the key goals for business processes and awareness training that can be gamified. Quick wins can be gained through “gamification of learning” fairly easily, versus trying to gamify the actual business processes, which may take more time to design and approve.
- Look for flexible gamification tools that can be leveraged at an enterprise level for the long term. There are some powerful, time-saving tools that can help with the story telling, the gamified cyber security awareness learning challenges, and even scenario-based simulations for exercise and assessment. Flexibility is important to allow for changes to policies, terminologies, risks and workflows over time.
As a CIO or an IT Manager, tackling these steps may seem like an overwhelming challenge. But managing human vulnerabilities in the face of a rapidly growing cyberthreat landscape is justifiably becoming one of the top priorities for senior management. There has never been a better time to get support for implementing a security awareness program that engages remote employees and motivates them to defend the organization.