The human element remains one of the biggest contributors to vulnerabilities in organisational cybersecurity.
While sophisticated firewalls, antivirus, threat tracking and analysis software will always be critical to defending an enterprise organisation, their importance is irrelevant if a lack of cybersecurity awareness among staff results in a breach.
Shane Muller, director of Microsoft partner and cybersecurity specialist OBT, said while most breaches occurred through the human element of an organisation (by way of email or other phishing vectors) the issue doesn’t always get the attention it requires.
“A statistic that we’ve seen backed up quite regularly from firms around the world is that 91 percent of attacks originate from leveraging the human side,” Muller said.
“We love to work with companies and deliver highly technical security like putting in new firewalls, upgrading wi-fi networks and then pen-testing security systems, but what the research is telling us is that only about 9 percent of people try to get in that way. Not that they don’t succeed by the way, they do. However, 90 percent of the time, attackers are leveraging the much weaker human element.”
Earlier this year, OBT highlighted just how well addressing the human element can reduce an organisation’s risk when it won the CRN Impact Award in Trusted Systems, for its work delivering a highly-adopted cyber awareness program to Pinnacle Investment Management.
Pinnacle manages billions of dollars in investor funds, so ensuring the security of its assets is a responsibility the company takes very seriously. The company engaged OBT on the topic of conducting pen-testing of the systems it had in place.
As discussions progressed, it became apparent to OBT that from an early assessment standpoint, measuring and reinvigorating Pinnacles cyber-awareness would be the best place to start.
“We educated them on understanding that there is a technical attack surface over devices, firewalls and those kinds of entry points, but there is also a human attack surface. Most organisations do not look at that, certainly, most technical teams don't focus enough on that,” Muller said.
“That’s why it is quite commonly seen today as one of the biggest risk areas for organisations and also the one that will give the greatest results when addressed.”
Through a carefully delivered program of cyber awareness training, testing and reporting, Pinnacle reduced their malicious email open rates from 40 percent to 0.4 percent in a year. That change is particularly significant in an industry where the stakes are high and cyberattacks frequent.
The result required Pinnacle to adopt cyber awareness at every level of its organisation, not to mention across its 15 brands, all helmed by a diverse staff.
The challenge for OBT was to apply its cyber awareness program in such a way that made it accessible for every employee, at every level of the business irrespective of their age, learning style or position. Readying the various components of the cyber awareness solution to be versatile to Pinnacle’s needs required OBT to understand its customer and how varied its staff base was.
OBT’s cyber awareness platform, developed in-house and incorporating vendor partner KnowBe4, spans three key areas: training, testing and reporting.
The training portion delivers on-demand video lessons delivered in a variety of formats and lengths, catering to different working styles and schedules.
“If you have anywhere between 100 to 800 people in an organisation there’s no way you can get them all together these days, so staff can access this anytime, on their own devices too. The training is also designed in such a way to actually cater to different generations and learning styles,” Muller said. “
“There would be some generational or learning approaches that prefer a Powerpoint-style or deep information breakdown, then there are other approaches that prefer a very short, simplified 10-minute chunk of info, there are some who want it in a gamified style.
“Whatever actually fits is what we focus on, and we understand that you need many different methods of delivering the content to capture a diverse audience.”
Initially, at Pinnacle, staff training was offered in 30-40 minute increments. However, this became an obstacle for Pinnacle’s time-poor executives and fund managers, so the program was tuned to deliver training in snippets, which overall resulted in a far greater uptake, particularly at senior levels of the business.
The solution tests users both during and after training. Prompts during training sessions keep users engaged and comprehending the material, while deliberately generated (but ultimately harmless) phishing emails sent to staff intermittently test how well the learnings have been retained.
The results of the program are compiled into a report and provided to the customer to review.
“These reports will go, on a monthly or quarterly basis, to the board level and outlining threat levels from the human point of view with reference to those who had been trained or not trained enough, the level of retention and the phishing exposure rate relative to click rates,” Muller said.
“It allows senior members to know exactly what the exposure is from a cybersecurity point of view, and importantly not just from an IT department, firewall or technical point of view.”
OBT said the greatest innovation achieved took place outside of the technical arena, with Pinnacle’s adoption and adherence to the program extending across the company and all the way up to the board level.
“I think that is the difference between our solution and all the vendors that you can buy an off-the-shelf capability from, there are quite of few you can buy, but as part of our managed service we really worked with the organisation to understand the generational element, and to ensure they knew how important it was for every level of the organisation to take the training.
“This training has to be done in such a way whereby the busiest people in the organisation would still be part of it. That was crucial for us. We really had to work on ensuring the right-sized chunks of training could be and were being delivered that were still significant enough to register with people and build their awareness levels.”
With a positive result on growing Pinnacle’s cybersecurity culture and phishing resilience, OBT continues to work with the funds manager on awareness and a broadening range of services.
“They are seeing a lot of value in this, and our objective is to make sure we keep delivering value because the threat landscape and the type of threats change all the time,” Muller said.
“We need to keep adapting. And our conversations have progressed to providing them with other types of cybersecurity solutions.”