Healthcare organizations are sitting ducks for attacks and breaches

Seventy-three percent of health system, hospital and physician organizations report their infrastructures are unprepared to respond to attacks. The survey results estimated 1500 healthcare providers are vulnerable to data breaches of 500 or more records, representing a 300 percent increase over this year.

healthcare attacks breaches

Black Book Market Research surveyed 2,464 security professionals from 705 provider organizations to identify gaps, vulnerabilities and deficiencies that persist in keeping hospitals and physicians proverbial sitting ducks for data breaches and cyberattacks.

Ninety-six percent of IT professionals agreed with the sentiments that data attackers are outpacing their medical enterprises, holding providers at a disadvantage in responding to vulnerabilities.

With the healthcare industry estimated to spend $134 billion on cybersecurity from 2021 to 2026, $18 billion in 2021, increasing 20% each year to nearly $37 billion in 2026, 82% of CIOs and CISOs in health systems in Q3 2020 agree that the dollars spent currently have not been allocated prior to their tenure effectively, often only spent after breaches, and without a full gap assessment of capabilities led by senior management outside of IT.

Talent shortage for cybersecurity pros continues

Additionally, 291 healthcare industry human resources executives were surveyed to determine the organizational supply and demand of experienced cybersecurity candidates. On average, cybersecurity roles in health systems take 70% longer to fill than other IT jobs.

Health systems are struggling to find workers that request cybersecurity-related skills as vacancy duration as reported by survey HR respondents average about 118 days to fill positions, nearly three times as high as the national average for other industries.

“The talent shortage for cybersecurity experts with healthcare expertise is nearing a very perilous position,” said Brian Locastro, lead researcher on the 2020 State of the Healthcare Cybersecurity Industry study by Black Book Research.

Seventy-five percent of the sixty-six-health system CISOs responding agreed that experienced cybersecurity professionals are unlikely to choose a healthcare industry career path because of one main reason.

More than in other industries, healthcare CISOs are ultimately held responsible for a data breach and the financial and reputation impacts to the provider organization despite having extremely limited decision-making technology or policy making authority.

COVID-19 has greatly increased risk of data breaches

Healthcare cybersecurity has become more complicated as providers are forced to deal with the COVID-19 pandemic. Understaffed and underfunded IT security departments are scrambling to accommodate the surge in demand of remote services from patients and physicians while simultaneously responding to the surge in security risks.

The survey found 90% of health systems and hospital employees who shifted to working at home due to the pandemic, did not receive any updated guidelines or training on the increasing risk of accessing sensitive patient data compromising systems

“Despite the rising threat, the vast majority of hospitals and physicians are unprepared to handle cybersecurity threats, even though they pose a major public health problem,” said Locastro.

Forty percent of all clinical hospital employees receive little or no cybersecurity awareness training still in 2020, beyond initial education on log in access.

Fifty-nine percent of health system CIOs surveyed are shifting security strategies to address user authentication and access as malicious incidents and hackers are the 2020 attacker’s go-to entry point of choice for health systems.

Stolen and compromised credentials were ongoing issues for 53% of health systems surveyed as hackers are increasingly using cloud misconfigurations to breach networks.

Cybersecurity consulting and advisory services are in high demand

Sixty-nine percent of 219 C-Suite respondents state their health system’s budget for cybersecurity consulting is increasing in 2021 to assess gaps, secure network operations, and user security on-premises and in the cloud.

“In today’s highly competitive cybersecurity market there isn’t enough talent to staff hospitals and health systems,” said Locastro.

“As provider organizations struggle with recruit, hire and retain in house staff, the plausible choice is retaining an experienced advisory firm that is capable of identifying and remediating hidden security vulnerabilities, which appeals to the strategic and economic sense of boards and CEOs.”

Healthcare cybersecurity challenges find resolutions from outsourced services

“The dilemma with cybersecurity budgeting and forecasting is the lack of reliable historical data,” said Locastro. “Cybersecurity is a newer line item for hospitals and physician enterprises and budgets have not evolved to cover the true scope of human capital and technology requirements yet.”

That shortage of healthcare cybersecurity professionals and a lack of appropriate technology solutions implemented is forcing a rush to acquire services and outsourcing at a pace five times more than the acquisition of cybersecurity products and software solutions.

Cybersecurity companies are responding to the labor crunch by offering healthcare providers and hospitals with a growing portfolio of managed services.

“The key place to start when choosing a cybersecurity services vendor is to understand your threat landscape, understanding the type of services vendors offer and comparing that to your organization’s risk framework to select your best-suited vendor,” said Locastro.

“Healthcare organizations are also more prone to attacks than other industries because they persist at managing through breaches reactively.”

Fifty-one percent of in-house IT management respondents with purchasing authority report their group is e not aware of the full variety of cybersecurity solution sets that exist, particularly mobile security environments, intrusion detection, attack prevention, forensics and testing in various healthcare settings.

Cybersecurity in healthcare provider organizations remains underfunded

The amount of dollars that are actually spent on healthcare industry cybersecurity products and services are increasing, averaging 21% year over year since 2017. Extended estimates have estimated nearly $140 Billion will be spent by health systems and health insurers by 2026.

However, 82% of hospital CIOs in inpatient facilities under 150 staffed beds and 90% of practice administrators collectively state they are not even close to spending an adequate amount on protecting patient records from a data breach.

Outdated IT systems, fewer cybersecurity protocols, untrained IT staff on evolving security skills, and data-rich patient files are making healthcare the current target of hacker attacks,” said Locastro. “And the willingness of hospitals and physician practices to pay high ransoms to regain their data quickly motivates hackers to focus on patient records.”

“Threats are now four times more likely to be centered on healthcare than any other industry, and ransomware attacks are increasing in popularity because of the amount of privileged information the hacker can obtain,” said Locastro.

“Providers at the point-of-care haven’t kept pace with the cybersecurity progress and tools that manufacturers, IT software vendors, and the FDA have made either.”

Healthcare consumers willing to change providers if patient privacy was comprised

Eighty percent of healthcare organization have not had a cybersecurity drill with an incident response process, despite the skyrocketing cases of data breaches in the healthcare industry in 2020.

Only 14 percent of hospitals and six percent of physician organizations believe that a 2021 assessment of their cybersecurity will show improvement from 2020. Twenty-six percent of provider organizations believe their cybersecurity position has worsened, as compared to three percent in other industries, year-to-year.

“Medical and financial leaders have wielded more influence over organizational budgets and made it difficult for IT management to implement needed cybersecurity practices despite the existing environment, but now consumers are beginning to react negatively to the provider’s lack of protection solutions.”

A poll of 3,500 healthcare consumers that used medical or hospital services in the last eighteen months revealed 93% would leave their provider if their patient privacy was comprised in an attack that could have been prevented.

Cybersecurity training: Learn how to secure containerized environments

Driven by a strong curiosity to know how computers and computer programs are made, how they work, and how safe they are, Sheila A. Berta, Head of Security Research at Dreamlab Technologies, has been interested in cybersecurity since her early teens.

secure containerized environments

For the last several years, she has been conducting investigations in a variety of information security areas like hardware hacking, car hacking, wireless security, malware and – more recently – Docker, Kubernetes and cloud security.

“At the moment everything tends to migrate to containerized, serverless and/or cloud environments with a microservices focus, so DevOps and other IT professionals have been forced to learn how to implement and work with these infrastructures,” she explained her more recent research interests.

“The attack and defense techniques that can be applied in these environments are completely different from the techniques applied in ‘traditional’ architectures, so it’s very important that security professionals now acquire the necessary skills to competently protect these modern infrastructures.”

One of the ways they can achieve this is to attend a training course on the subject.

Virtual trainings through HITBSecTrain

During HITBCyberWeek, which is scheduled to start on November 15, Berta’s colleague Sol Ozzan will hold an online workshop focused on Docker and Kubernetes defense that will serve as a preview for a 2-day virtual training courses that the two will conduct through HITBSecTrain in February next year.

“Our Attack and Defense on Docker, Swarm and Kubernetes training at HITBSecTrain will provide attendees with the practical knowledge they need to analyze and secure containerized & Kubernetes-orchestrated environments,” Berta told Help Net Security.

“Our trainings have a lot of hands-on laboratories. We start with the Docker fundamentals and then jump into the labs with Docker Black Box and White Box analysis, as well as defense on containers and Docker images. At the end of the first day, we focus on Swarm (official Docker orchestrator) with a variety of practices in attack and defense.”

The second day is fully dedicated to Kubernetes. They start with the fundamentals of this technology and then dive into the hands-on with Black Box, Gray Box, and White Box analysis. Sophisticated attack techniques will be explained, as well as advanced security features that can be implemented in this famous orchestrator.

This is not the first time she has held a container environment-related training – she also did it at Black Hat USA 2020. But, as can be expected, they are continuously updating the materials: they have added lately more attack techniques in different Docker and Kubernetes components, such as the Docker Registry and Kubernetes Kubelet, and more open source tools that can be used to analyze and secure these infrastructures.

She also couldn’t help but speak highly of another 2-day training course that two other Dreamlab Technologies colleagues are set to hold in February.

“I had the pleasure of seeing how the trainers built the materials for the Attacking and Securing Industrial Control Systems (ICS) course and I have to say that it is the most practical training on ICS hacking I have ever seen. It even has practices for air-gap bypass techniques,” she noted.

“I believe practical experience is very important when it comes to this kind of topics. We have prepared a realistic ICS environment that students will access throughout the course to perform all the exploitation techniques explained by the trainers.”

Enterprise IT security teams continue to struggle

CyberEdge conducted a web-based survey of 600 enterprise IT security professionals from seven countries and 19 industries in August 2020 in an effort to understand how the pandemic has affected IT security budgets, personnel, cyber risks, and priorities for acquiring new security technologies.

enterprise IT security teams

Impacts from the work-from-home movement

Prior to the pandemic, an average of 24% of enterprise workers had the ability to work from home on a full-time, part-time, or ad hoc basis. As of August 2020, that number more than doubled to 50%.

Many enterprises without existing BYOD policies were instantly compelled to permit employee-owned laptops, tablets, and smartphones to access company applications and data – in some instances without proper endpoint security protections.

Resulting IT security challenges

A 114% increase in remote workers coupled with a 59% increase in BYOD policy adoption has wreaked havoc among enterprise IT security teams.

The top-three challenges experienced by enterprise IT security teams have been an increased volume of threats and security incidents, insufficient remote access / VPN capacity, and increased risks due to unmanaged devices.

Furthermore, an astounding 73% of enterprises have experienced elevated third-party risks amongst their partners and suppliers. Adding fuel to the fire, 53% of these teams were already understaffed before the pandemic began.

Healthy 2020 and 2021 IT security budgets

While most enterprises searched for ways to reduce overall operating expenses in 2020, 54% of those surveyed increased their IT security operating budgets mid-year by an average of 5%.

Only 20% of enterprises reduced their overall IT security spending after the start of the pandemic. With regard to the impact of the pandemic on next year’s security budgets, 64% of organizations plan to increase their security operating budgets by an average of 7%.

Increased demand for cloud-based IT security investments

Arguably the biggest impact that the COVID-19 pandemic has had on the IT security industry is an increased appetite for cloud-based IT security solutions. This is primarily driven by the massive increase in remote workers but may also be influenced by having fewer IT security personnel available on site to install and maintain traditional on-premises security appliances.

Exactly 75% of respondents have indicated an increased preference for cloud-based security solutions. The top-three technology investments to address pandemic-fueled challenges are cloud-based secure web gateway (SWG), cloud-based next-generation firewall (NGFW), and cloud-based secure email gateway (SEG).

Reducing IT security personnel costs

Despite increased funding for cloud-based security technology investments, 67% of enterprise security teams were forced to temporarily reduce personnel expenses through hiring freezes (36%), temporary reductions in hours worked (32%), and temporary furloughs (25%). Fortunately, only 17% were forced to lay off personnel.

Training and certification make a huge difference

78% of those with IT security professional certifications feel their certification has made them better equipped to address pandemic-fueled challenges.

Next year, enterprises anticipate increasing their security training and certification budgets by an average of 6%.

Taking third-party risks seriously

The doubling of remote workforces has significantly increased third-party risks. As a result, 43% of enterprises have increased their third-party risk management (TPRM) technology investments. 77% are seeking technologies to help automate key TPRM tasks.

Securing employee-owned devices

In an effort to secure employee-owned devices connecting to company applications and data, 59% of enterprises are providing antivirus (AV) software, 52% are investing in mobile device management (MDM) products, and 48% are acquiring network access control (NAC) solutions.

Security professionals enjoy working from home

Not surprising, 81% of IT security professionals enjoy working from home. Once a COVID-19 vaccine is developed and the pandemic is over, 48% would like to continue working from home part-time while 33% would like to work from home full-time.

Businesses struggle with data security practices

43% of C-suite executives and 12% of small business owners (SBOs) have experienced a data breach, according to Shred-it.

businesses data security

While businesses are getting better at protecting their customers’ personal and sensitive information, their focus on security training and protocols has declined in the last year. This decline could pose issues for businesses, as 83% of consumers say they prefer to do business with companies who prioritize protecting their physical and digital data.

The findings reinforce the need for business owners to have data protection policies in place as threats to data security, both physical (including paper documents, laptop computers or external hard drives) and digital (including malware, ransomware and phishing scams), have outpaced efforts and investments to combat them.

The report, which was completed prior to COVID-19, also exposes that more focus is needed around information security in the home, where C-suites and SBOs feel the risk of a data breach is higher.

While advancements in technology have allowed businesses to move their information to the cloud, only 7% of C-suites and 18% of SBOs operate in a paperless environment. Businesses still consume vast amounts of paper, dispelling the myth of offices going digital and signaling a need for oversight of physical information and data security.

Having policies in place can mitigate the risk of physical security breaches

C-suites and SBOs indicated external threats from vendors or contractors (25% C-suites; 18% SBOs) and physical loss or theft of sensitive information (22% C-suites, 19% SBOs) are the top information security threats facing their business.

Yet, the number of organizations with a known and understood policy for storing and disposing of confidential paper documents adhered to by all employees has declined 13% for C-suites (73% in 2019 to 60% in 2020) and 11% for SBOs (57% in 2019 to 46% in 2020).

In addition, 49% of SBOs have no policy in place for disposing of confidential information on end-of-life electronic devices.

While the work-from-home trend has risen over the years, the COVID-19 pandemic abruptly launched employees into work-from-home status, many without supporting policies.

77% of C-suites and 53% of SBOs had employees who regularly or periodically work off-site. Despite this trend, 53% of C-suites and 41% of SBOs have remote work policies in place that are strictly adhered to by employees working remotely (down 18% from 71% in 2019 for C-suites; down 8% from 49% in 2019 for SBOs).

“As we adjust to our new normal in the workplace, or at home, it’s crucial that policies are adapted to align with these changes and protect sensitive information,” said Cindy Miller, president and CEO, Stericycle.

“As information security threats grow, it’s more important than ever that we help businesses and communities protect valuable documents and data from the risks of an information breach.”

Better training on security procedures and policies is needed

When it comes to training, 24% of C-suites and 54% of SBOs reported having no regular employee training on information security procedures or policies.

Additionally, the number of organizations that regularly train employees on how to identify common cyber-attack tactics, such as phishing, ransomware or other malicious software, declined 6% for C-suites (from 88% in 2019 to 82% in 2020) and 7% for SBOs (from 52% in 2019 to 45% in 2020).

“As a society, we are facing new information security challenges every day, from the rise of remote working to increased consumer concern,” said Michael Borromeo, VP of data protection, Stericycle.

“To protect businesses now and for the long haul, it’s instrumental that leaders reevaluate information security training and protocols to adjust to our changing world and maintain consumer trust.”

Businesses deal with data security and declining consumer trust

While many U.S. businesses feel they are getting better at protecting sensitive information, declining consumer trust and increased expectations may impact the bottom line.

  • 86% of consumers are concerned that private, personal information about them is present on the internet.
  • 24% of consumers would stop doing business with a company if their personal information was compromised in a data breach. Beyond losing their loyalty, consumers would lose trust in the business (31%) and demand to know what the business is doing to prevent future breaches (31%).
  • 38% consumers trust that all physical and digital data breaches are properly disclosed to consumers (up 4% from 34% in 2019).

Businesses are reducing focus on policies for disposing of confidential information despite physical theft and vendor threats being top risks.

  • While 60% of C-suites and 46% of SBOs have a known and understood policy for storing and disposing of confidential paper documents, strict employee adherence to these policies has declined from 2019. Down 13% from 73% in 2019 for C-suites and down 11% from 57% in 2019 for SBOs.
  • Additionally, 10% of C-suites and 38% of SBOs admit they have no policies in place for disposing of confidential paper documents, up 4% for C-suites (from 10% in 2019) and 8% for SBOs (from 30% in 2019).

Remote work has increased over the years, but information security policies are lacking.

  • Prior to the COVID-19 pandemic, 45% of small businesses did not have a policy for storing and disposing of confidential information when employees work off-site from the office.
  • A secondary study found that 75% of employees own a home printer that they use to print work documents and 43% print work-related documents weekly.

Inadequate skills and employee burnout are the biggest barriers to digital transformation

Nearly six in ten organizations have accelerated their digital transformation due to the COVID-19 pandemic, an IBM study of global C-suite executives revealed.

barriers digital transformation

Top priorities are shifting dramatically as executives plan for an uncertain future

Digital transformation barriers

Traditional and perceived barriers like technology immaturity and employee opposition to change have fallen away – in fact, 66% of executives surveyed said they have completed initiatives that previously encountered resistance.

Participating businesses are seeing more clearly the critical role people play in driving their ongoing transformation. Leaders surveyed called out organizational complexity, inadequate skills and employee burnout as the biggest hurdles to overcome – both today and in the next two years.

The study finds a significant disconnect in how effective leaders and employees believe companies have been in addressing these gaps. 74% of executives surveyed believe they have been helping their employees learn the skills needed to work in a new way, just 38% of employees surveyed agree.

80% of executives surveyed say that they are supporting the physical and emotional health of their workforce, while just 46% of employees surveyed feel that support.

The study which includes input from more than 3,800 C-suite executives in 20 countries and 22 industries, shows that executives surveyed are facing a proliferation of initiatives due to the pandemic and having difficulty focusing, but do plan to prioritize internal and operational capabilities such as workforce skills and flexibility – critical areas to address in order to jumpstart progress.

“For many the pandemic has knocked down previous barriers to digital transformation, and leaders are increasingly relying on technology for mission-critical aspects of their enterprise operations,” said Mark Foster, senior vice president, IBM Services.

“But looking ahead, leaders need to redouble their focus on their people as well as the workflows and technology infrastructure that enable them – we can’t underestimate the power of empathetic leadership to drive employees’ confidence, effectiveness and well-being amid disruption.”

The study reveals three proactive steps that emerging leaders surveyed are taking to survive and thrive.

Improving operational scalability and flexibility

The ongoing disruption of the pandemic has shown how important it can be for businesses to be built for change. Many executives are facing demand fluctuations, new challenges to support employees working remotely and requirements to cut costs.

In addition, the study reveals that the majority of organizations are making permanent changes to their organizational strategy. For instance, 94% of executives surveyed plan to participate in platform-based business models by 2022, and many reported they will increase participation in ecosystems and partner networks.

Executing these new strategies may require a more scalable and flexible IT infrastructure. Executives are already anticipating this: the survey showed respondents plan a 20 percentage point increase in prioritization of cloud technology in the next two years.

What’s more, executives surveyed plan to move more of their business functions to the cloud over the next two years, with customer engagement and marketing being the top two cloudified functions.

Applying AI and automation to help make workflows more intelligent

COVID-19 has disrupted critical workflows and processes at the heart of many organizations’ core operations. Technologies like AI, automation and cybersecurity that could help make workflows more intelligent, responsive and secure are increasing in priority across the board for responding global executives. Over the next two years, the report finds:

  • Prioritization of AI technology will increase by 20 percentage points
  • 60% of executives surveyed say they have accelerated process automation, and many will increasingly apply automation across all business functions
  • 76% of executives surveyed plan to prioritize cybersecurity – twice as many as deploy the technology today.

As executives increasingly invest in cloud, AI, automation and other exponential technologies, leaders should keep in mind the users of that technology – their people. These digital tools should enable a positive employee experience by design, and support people’s innovation and productivity.

barriers digital transformation

COVID-19 created a sense of urgency around digital transformation

Leading, engaging and enabling the workforce in new ways

The study showed placing a renewed focus on people may be critical amid the COVID-19 pandemic while many employees are working outside of traditional offices and dealing with heightened personal stress and uncertainty.

Ongoing IBV consumer research has shown that the expectations employees have of their employers have shifted amidst the pandemic – employees now expect that their employers will take an active role in supporting their physical and emotional health as well as the skills they need to work in new ways.

To address this gap, executives should place deeper focus on their people, putting employees’ end-to-end well-being first. Empathetic leaders who encourage personal accountability and support employees to work in self-directed squads that apply design thinking, Agile principles and DevOps tools and techniques can be beneficial.

Organizations should also think about adopting a holistic, multi-modal model of skills development to help employees develop both the behavioral and technical skills required to work in the new normal and foster a culture of continuous learning.

How vital is cybersecurity awareness for a company’s overall IT security?

The benefits of cybersecurity awareness programs are currently the subject of broad discussion, particularly when it comes to phishing simulations. Nowadays, companies not only invest in IT security solutions, but also in the training of their employees with the goal of making them more conscious of security issues.

benefits cybersecurity awareness

Already 96 percent of companies conduct security awareness trainings. This is one of the results of a study among qualified, international security experts, conducted by Lucy Security.

Security awareness covers various training measures which sensitize a company’s employees to IT security issues. The goal of these measures is to minimize the risks to IT security caused by employees.

Companies do not exploit employees’ potential

81 percent of the companies surveyed carry out phishing simulations. It is noteworthy, however, that only slightly more than half of the companies already include their employees in their security arrangements. For example, only 51 percent of the companies use a phishing alarm button.

49 percent do not use this function and thus do not exploit the full potential of their staff. The so-called “human firewall” is not activated. “The lack of use of a phishing incident button wastes a lot of protection potential and user motivation,” comments Palo Stacho, Head of Operations at Lucy Security.

In 92 percent of the companies, cybersecurity awareness has increased in recent months. 96 percent also agree that cybersecurity awareness has led to a higher level of security in their company. 98 percent are also convinced that security awareness measures make attacks by cyber criminals more difficult.

Phishing simulations strengthen trust in superiors

The measures also strengthen the confidence in the management. Almost 89 percent of the survey participants “fully”, “largely” or “rather agree” that trust in management is not called into question by phishing campaigns.

73 percent also confirm that the security awareness measures do not cause any fear among employees. In fact, the measures have the opposite effect: 95 percent of the respondents say that the phishing simulations have a positive effect on the working atmosphere. 100 percent also claim that the measures have a positive effect on their company’s error culture.

Security awareness makes companies more secure

Finally, 92 percent of the survey participants denied that the same level of IT security could be maintained in the company if the existing funds and resources were invested exclusively in technical security measures, such as firewalls and virus scanners.

“At Lucy Security, internal analyses have shown that correctly implemented awareness programs make a company up to ten times more secure,” says Palo Stacho. “But the benefits of cybersecurity awareness go far beyond fewer security incidents and better trained employees. The trainings and increased attention to IT security also have a positive effect on the corporate culture.”

Infosec pros struggle to find opportunities to improve their work skills

Cybrary released the findings from the report which examines the current challenges, perceptions, and impacts of the cybersecurity skills gap faced by IT and security teams worldwide.

security teams skills gap

Security teams and the growing skills gap

The survey questioned respondents about the employer contributions towards their skill development, their level of personal commitment to growing their skills, and the current level of organizational support and opportunities offered for skill development.

Over 800 IT and security professionals were surveyed, varying in experience, ranging from system admins to CISOs, to gather their industry insights and discovered that:

  • 68 percent of respondents report investing their own free time, outside working hours to improve their cyber skills
  • Nearly 3 out of 4 respondents agree that skill gaps exist on their teams
  • 65 percent of managers agreed that skills gaps have a negative impact on their team’s effectiveness
  • 40 percent of individuals say they spend time working to learn new job skills every day, while another 38 percent reported at least once a week, and
  • 46 percent of organizations do not confirm new hire skills for specific roles and 40 percent rarely or never assess the skills of newly onboarded team members.

“Year after year, we see the cyber skills gap hindering the performance and productivity of IT and security teams, and this survey confirms that organizations still have a lot of work to do to provide their staff with the right training, guidance, and support they need,” said Ryan Corey, CEO of Cybrary.

“Despite industry-wide recognition around this growing skills gap, there has been little movement in bridging this gap. To make progress, organizations must empower and support IT and security teams by giving them the time and resources they need to grow their skill sets within their current role. It’s truly a win-win situation, contributing to both the individual’s career growth as well as organizational goals.”

security teams skills gap

Limited support and investment in employees’ career development

While it’s clear industry professionals are committed to advancing their careers, this survey shows limited progress from organizations in supporting employees and investing in their continued career development, despite the expectation for employees to keep pace in their dynamic roles.

The survey also reveals that employers need to break down significant barriers, such as cost (33 percent) and lack of time (28 percent) that are preventing IT and security professionals from getting the skills training they need to do their jobs to the best of their abilities.

With about half of organizations either decreasing their training budgets (22 percent) or keeping them the same (25 percent) this past year, it’s not surprising that industry professionals struggle to find opportunities to improve their skills for their work.

“The industry is overdue for a wake-up call to address the IT and security skills gap and talent shortage, especially as we enter a new era of remote work,” said Ron Gula, Cybrary Board Member.

“This vision for attracting and retaining talent can only be fulfilled if organizations continuously invest in their employee’s career and skills development. By assessing existing IT and security training programs, organizations can finally begin to empower their employees to scale their current skills and ultimately, their careers.”

Phish Scale: New method helps organizations better train their employees to avoid phishing

Researchers at the National Institute of Standards and Technology (NIST) have developed a new method called the Phish Scale that could help organizations better train their employees to avoid phishing.

Phish Scale

How does Phish Scale work?

Many organizations have phishing training programs in which employees receive fake phishing emails generated by the employees’ own organization to teach them to be vigilant and to recognize the characteristics of actual phishing emails.

CISOs, who often oversee these phishing awareness programs, then look at the click rates, or how often users click on the emails, to determine if their phishing training is working. Higher click rates are generally seen as bad because it means users failed to notice the email was a phish, while low click rates are often seen as good.

However, numbers alone don’t tell the whole story. “The Phish Scale is intended to help provide a deeper understanding of whether a particular phishing email is harder or easier for a particular target audience to detect,” said NIST researcher Michelle Steves. The tool can help explain why click rates are high or low.

The Phish Scale uses a rating system that is based on the message content in a phishing email. This can consist of cues that should tip users off about the legitimacy of the email and the premise of the scenario for the target audience, meaning whichever tactics the email uses would be effective for that audience. These groups can vary widely, including universities, business institutions, hospitals and government agencies.

The new method uses five elements that are rated on a 5-point scale that relate to the scenario’s premise. The overall score is then used by the phishing trainer to help analyze their data and rank the phishing exercise as low, medium or high difficulty.

The significance of the Phish Scale is to give CISOs a better understanding of their click-rate data instead of relying on the numbers alone. A low click rate for a particular phishing email can have several causes: the phishing training emails are too easy or do not provide relevant context to the user, or the phishing email is similar to a previous exercise. Data like this can create a false sense of security if click rates are analyzed on their own without understanding the phishing email’s difficulty.

Helping CISOs better understand their phishing training programs

By using the Phish Scale to analyze click rates and collecting feedback from users on why they clicked on certain phishing emails, CISOs can better understand their phishing training programs, especially if they are optimized for the intended target audience.

The Phish Scale is the culmination of years of research, and the data used for it comes from an “operational” setting, very much the opposite of a laboratory experiment with controlled variables.

“As soon as you put people into a laboratory setting, they know,” said Steves. “They’re outside of their regular context, their regular work setting, and their regular work responsibilities. That is artificial already. Our data did not come from there.”

This type of operational data is both beneficial and in short supply in the research field. “We were very fortunate that we were able to publish that data and contribute to the literature in that way,” said NIST researcher Kristen Greene.

As for next steps, Greene and Steves say they need even more data. All of the data used for the Phish Scale came from NIST. The next step is to expand the pool and acquire data from other organizations, including nongovernmental ones, and to make sure the Phish Scale performs as it should over time and in different operational settings.

“We know that the phishing threat landscape continues to change,” said Greene. “Does the Phish Scale hold up against all the new phishing attacks? How can we improve it with new data?” NIST researcher Shaneé Dawkins and her colleagues are now working to make those improvements and revisions.

Organizations must rethink traditional IT strategy to succeed in the new normal

64% of IT pros are instilled with a new sense of confidence, despite contending with challenges such as reduced budgets, greater decision-making responsibilities, and longer hours caused by their organizations’ response to the pandemic, a SolarWinds survey reveals.

traditional IT strategy

Likewise, 46% feel empowered to bring more ideas to the table while 58% say they now feel more prepared to succeed in similar unexpected situations.

“The success of organizations during this unique time is due in large part to IT pros’ preparedness and inherent ability to adapt and manage through substantial change,” said Rani Johnson, CIO, SolarWinds.

“2020—and the unexpected COVID-19 pandemic—is proof positive IT pros are built for moments like these. What’s particularly encouraging is IT pros’ perception and expectation IT will be included in more business-level decision-making moving forward.

“The dedication of IT pros around the world to ensuring business resiliency and continuity over the past several months serves to elevate and empower the IT community to work alongside business leaders to meet bigger organizational goals.”

IT pros’ upskilling likely to continue into the future

This newfound self-confidence, combined with IT pros’ achievements during this time, will completely transform how IT is viewed by the business in the future. IT may earn a more prominent voice in the C-suite, as 40% of surveyed IT pros believe they will now be involved in more business-level meetings.

Likewise, IT’s role will be up-leveled due to the vast upskilling 26% of IT pros underwent during this experience. With 31% admitting there’s a need to rethink internal processes to better accommodate the rapid change of pace required post-COVID, it’s highly likely a focus on IT pros’ upskilling will continue into the future.

“As always, with new responsibilities comes the need for new skills. While almost half of survey respondents felt they received the training required to adapt to changing IT requirements, nearly one-third experienced the opposite, and are at risk of being left behind as IT teams continue to grapple with how best to support the new normal,” said Johnson.

IT pros gaining an increased sense of confidence

IT pros said they’ve gained an increased sense of confidence in their expanded roles, responsibilities, and ability to adapt to unexpected change in the future, despite contending with more challenging working conditions over the course of the pandemic.

Respondents said longer work hours due to stretched teams (29%), more responsibility (28%) and decision-making requirements (28%), and a general increase in job-related stress (22%) were the leading ways in which day-to-day roles evolved in response to the impact of COVID-19.

Still, 64% agreed this experience—including changes to their day-to-day tasks—has given them a new sense of confidence in managing unprecedented change.

  • 46% say the work they accomplished has empowered them to bring new ideas to the table.
  • 58% say they now feel more prepared to succeed in any similar unprecedented situations in the future, while another 29% report feeling prepared to manage change but require additional resources, training, and support.

Given the achievements of IT pros during this period, 40% of respondents say they believe IT will be included in more business-level meetings and decision-making moving forward.

Remote workforce support requiring new skills

The implications of COVID-19 accelerated IT pros’ ongoing efforts to upskill in critical competencies, such as systems management, network management, and security policy and compliance.

26% of IT pros said it was necessary to learn new skills to support their organizations’ transitions to a remote workforce.

The top skills IT pros reported as the most important for development:

  • Systems management (55%)
  • Network management (50%)
  • Security policy and compliance (43%)
  • Hybrid IT monitoring/management tools and metrics (28%)

47% said they received the training they needed to learn these new skills; however, 25% are still waiting for those training resources to be made available.

The breadth of skills IT pros needed during this time shows how silos are disappearing, as roles start to blur together. In fact, today there is more crossover between traditional roles than there has ever been before and we will continue to see these lines blur until most silos are completely gone.

traditional IT strategy

Technology, process, and team transformations are needed

In the coming months, IT organizations must undergo technology, process, and team transformations to accommodate the new IT requirements associated with extended remote-work scenarios post-pandemic.

71% of respondents felt supporting a remote workforce struck a balance in which certain aspects of day-to-day management were better, while others were more challenging.

  • 31% agree there’s a need to rethink internal processes to better accommodate the more rapid pace of change required post-COVID.
  • While 18% of respondents reported their toolsets and technologies fell short in addressing the unique challenges of remote workforces, 28% of IT pros flagged a need to consolidate existing solution suites (and their vendors) to simplify management, maintenance, and cost of upkeep.

Although the majority of IT organizations successfully managed the transition to remote work and played a critical role in ensuring business continuity, IT pros expect several trends to shape the future of their respective IT organizations:

  • Greater cross-team collaboration (53%)
  • More responsibility (46%)
  • IT inclusion in more business-level meetings and decision-making (41%)
  • Tighter budgets (even post-economic recovery) (26%)
  • More opportunity to upskill/attend trainings (25%)

Cyber crisis response failing to adapt to modern threats

Today, a stark disconnect exists between the inadequacy of crisis exercising and the desire to build an effective cyber crisis response function, according to an Osterman Research study.

cyber crisis response

The report into senior security leaders at 402 organizations with an average of 1900 employees in the US and UK found nearly 40% are not fully confident in their teams training to handle a data breach if one happened that week.

A spike in ransomware attacks

Looking at the evolution of ransomware alone, the number of ransomware detections in business environments rose by 365% between Q2 2018 and Q2 2019, and global organizations have seen a 148% spike in ransomware attacks amid COVID-19.

Meanwhile, more than a third of organizations surveyed say they space their tabletop exercises a year – sometimes two – apart, with 65% consisting of reviewing PowerPoint slides. In fact, slide-based sessions are nearly 20 times more common than practicing simulations and 64% ran three or fewer scenarios during their last exercise.

“If you did your ransomware training in January, you’re likely five ransomware techniques behind the curve now,” said James Hadley, CEO of Immersive Labs.

“With three quarters of organizations agreeing that business continuity was at the forefront of their minds, it is time to close the gap between attackers and defenders and shake up the outdated status quo. This requires faster, shorter crisis drills run with the people you will be standing shoulder to shoulder with when the worst happens. Crisis exercises must be made more contemporary.”

There is a need for more –and modernized – cyber training across organizations, not just on the security team.

Over reliance on plans contributes to low IR confidence

Despite organizations’ low confidence in their IR preparedness, 61% of respondents think having an IR plan is the single most effective way to prepare for a security incident. In fact, twice the amount of respondents thought an IR plan was more effective than regular table-top crisis exercising.

When they do perform crisis exercises, nearly 40% of all senior security leaders surveyed said the last exercise generated no action from the business.

Senior cybersecurity leadership skipping crisis exercises

Only a fraction of people who will be involved in a real crisis are present in training. A quarter of organizations surveyed ran crisis exercises without senior cybersecurity leadership in attendance, and only 20% of exercises involved communications team members, although the survey showed impact on brand is more important in security leaders’ minds when running crisis exercises at 47%, than share price (24%) or liquidity (27%).

Nearly half of security leaders said their organizations do not have a cross disciplinary cyber crisis group, of those who do, only 17% met monthly.

The pandemic exacerbates challenges with the human factor

20% of respondents said they find it impossible to effectively involve people in crisis response remotely from other geographies. Add to that, the human element of the cyber equation is being overlooked by crisis response exercises with only 15% saying they are focused on stress testing human cyber readiness.

cyber crisis response

Technology investments aren’t enough

Technology investments can’t save an organization alone, it’s time to focus on people. Nearly 60% of respondents think the best way to prepare for a crisis incident is to buy more technology, and more are interested in covering themselves legally (38%) than running effective tabletop exercises and fire drills to train their teams (32%).

“Dusting off the three-ring binder crisis plan does not cut it today,” added Hadley. “In the first 30 minutes of a crisis, it is highly unlikely you’re thinking of your plan. It’s the real-life, crisis simulation training that prepares organizations to effectively respond to security incidents.

“Micro-drills, or very focused exercises, designed to address particular risks must make their way into the mix. Much like exercising to stay fit, this needs to happen with regularity in dynamic environments, and involve all the right people, in order to keep current and be effective.”

Half of IT teams can’t fully utilize cloud security solutions due to understaffing

There are unrealized gaps between the rate of implementation or operation and the effective use of cloud security access brokers (CASB) within the enterprise, according to a global Cloud Security Alliance survey of more than 200 IT and security professionals from a variety of organization sizes and locations.

utilize cloud security solutions

Utilize cloud security solutions

“CASB solutions have been underutilized on all the pillars but in particular on the compliance, data security, and threat protection capabilities within the service,” said Hillary Baron, lead author and research analyst, Cloud Security Alliance.

“It’s clear that training and knowledge of how to use the products need to be made a priority if CASBs are to become effective as a service or solution,” Baron concluded.

The paper found that while nearly 90% of the organizations surveyed are already using or researching the use of a CASB, 50% don’t have the staffing to fully utilize cloud security solutions, which could be remediated by working with top CASB vendors.

CASBs have yet to become practical for remediation or prevention

More than 30% of respondents reported having to use multiple CASBs to meet their security needs and 34% find solution complexities an inhibitor in fully realizing the potential of CASB solutions.

Overall, CASBs perform well for visibility and detecting behavior anomalies in the cloud but have yet to become practical as a tool for remediation or prevention.

Additional findings

  • 83% have security in the cloud as a top project for improvement
  • 55% use their CASB to monitor user behaviors, while 53% use it to gain visibility into unauthorized access
  • 38% of enterprises use their CASB for regulatory compliance while just 22% use it for internal compliance
  • 55% of total respondents use multi-factor authentication that is provided by their identity provider as opposed to a standalone product in the cloud (20%)

Tech sector job interviews test performance anxiety rather than competence at coding

A study from North Carolina State University and Microsoft finds that the technical interviews currently used in hiring for many software engineering positions test whether a job candidate has performance anxiety rather than whether the candidate is competent at coding. The interviews may also be used to exclude groups or favor specific job candidates.

tech sector job interviews

“Technical interviews are feared and hated in the industry, and it turns out that these interview techniques may also be hurting the industry’s ability to find and hire skilled software engineers,” says Chris Parnin, an assistant professor of computer science at NC State and co-author of a paper on the work.

“Our study suggests that a lot of well-qualified job candidates are being eliminated because they’re not used to working on a whiteboard in front of an audience.”

The effect of the interview process on aspiring software engineers

Technical interviews in the software engineering sector generally take the form of giving a job candidate a problem to solve, then requiring the candidate to write out a solution in code on a whiteboard – explaining each step of the process to an interviewer.

Previous research found that many developers in the software engineering community felt the technical interview process was deeply flawed. So the researchers decided to run a study aimed at assessing the effect of the interview process on aspiring software engineers.

For this study, researchers conducted technical interviews of 48 computer science undergraduates and graduate students. Half of the study participants were given a conventional technical interview, with an interviewer looking on. The other half of the participants were asked to solve their problem on a whiteboard in a private room.

The private interviews did not require study participants to explain their solutions aloud, and had no interviewers looking over their shoulders.

Researchers measured each study participant’s interview performance by assessing the accuracy and efficiency of each solution. In other words, they wanted to know whether the code they wrote would work, and the amount of computing resources needed to run it.

“People who took the traditional interview performed half as well as people that were able to interview in private,” Parnin says. “In short, the findings suggest that companies are missing out on really good programmers because those programmers aren’t good at writing on a whiteboard and explaining their work out loud while coding.”

The current format of technical interviews excluding certain job candidates

The researchers also note that the current format of technical interviews may also be used to exclude certain job candidates.

“For example, interviewers may give easier problems to candidates they prefer,” Parnin says. “But the format may also serve as a barrier to entire classes of candidates. For example, in our study, all of the women who took the public interview failed, while all of the women who took the private interview passed.

“Our study was limited, and a larger sample size would be needed to draw firm conclusions, but the idea that the very design of the interview process may effectively exclude an entire class of job candidates is troubling.”

What’s more, the specific nature of the technical interview process means that many job candidates try to spend weeks or months training specifically for the technical interview, rather than for the actual job they’d be doing.

“The technical interview process gives people with industry connections an advantage,” says Mahnaz Behroozi, first author of study and a Ph.D. student at NC State.

“But it gives a particularly large advantage to people who can afford to take the time to focus solely on preparing for an interview process that has very little to do with the nature of the work itself. And the problems this study highlights are in addition to a suite of other problems associated with the hiring process in the tech sector,” adds Behroozi.

“If the tech sector can address all of these challenges in a meaningful way, it will make significant progress in becoming more fair and inclusive. More to the point, the sector will be drawing from a larger and more diverse talent pool, which would contribute to better work.”

Lack of technology skills creates a dent in remote workers’ productivity

The lack of technology skills is contributing to a dent in productivity as workers struggle to adapt to working from home over prolonged periods. Questionmark is calling on employers to ensure that their people have the necessary technical skills as remote working looks set to continue.

skills working from home

Productivity among remote workers has declined

A study found that despite a greater familiarity with technology during lockdown, productivity among remote workers in the UK has declined by 20%. Other European countries have suffered an even sharper drop in productivity. These range from -55% for France and Germany to a staggering -70% for Italy.

The study attributes much of the productivity dip to technical user error. It found that technology issues are increasingly causing workers to feel less productive.

As well as barriers to productivity, the errors and vulnerabilities that accompany widespread home working are causing a rise in security and data breaches. Across UK, US, France and Germany, 46% of employers had experienced at least one security incident since the lockdown. 51% recorded an increase in the number of email phishing attacks.

The necessity of regular skills testing and assessment

As talk of a ‘second wave’ of COVID-19 hits the headlines, many employers are reluctant to re-open offices and workspaces. If remote working is to continue to the medium term, it is vital that employees have the skills to restore productivity.

Regular skills testing and assessment of the workforce help employers understand where workers are struggling. It can enable employers to make good decisions around training and other interventions.

Lars Pedersen, CEO of Questionmark said: “At first, it looked as if remote working might last for a matter of weeks. Employers could prioritize essential functions and turn a blind eye to occasional productivity dips. But as wide-spread home working moves into the medium term, this is clearly not sustainable.

“By testing skills across the workforce, employers can pinpoint where gaps in productivity lie and introduce relevant training and support.”

Only 38% of US govt workers received ransomware prevention training

73% of government employees are concerned about impending ransomware threats to cities across the country, and more employees fear of cyberattacks to their community than natural disasters and terrorist attacks, an IBM survey has revealed.

More than 100 cities across the United States were hit with ransomware in 2019. Data in the new Harris Poll found ransomware attacks might be even more widespread, with 1 in 6 respondents disclosing their department was impacted by a ransomware attack.

Despite the growth of these attacks, half of the employees surveyed have not seen any change in preparedness from their employers, with only 38% receiving general ransomware prevention training. Also, budgets for managing cyberattacks have remained stagnant according to 52% of state and local government IT/Security professionals polled.

ransomware attacks preparedness

“The emerging ransomware epidemic in our cities highlights the need for cities to better prepare for cyberattacks just as frequently as they prepare for natural disasters,” said Wendi Whitmore, VP of Threat Intelligence, IBM Security.

“The data in this new study suggests local and state employees recognize the threat but demonstrate over confidence in their ability to react to and manage it. Meanwhile, cities and states across the country remain a ripe target for cybercriminals.”

2020 elections concerns

With the impending 2020 election in the U.S, it’s no surprise election security is top of mind for government employees. In fact, the study found 63% of respondents are concerned that a cyberattack could disrupt the upcoming elections, with the majority of government employees placing their local Board of Elections among the top three most vulnerable systems in their communities.

While concerns of attacks against election systems and voting machines continue to make headlines, cyberattacks can also be used as a form of distraction or a way to weaken confidence in systems for voters, or even impede them from casting ballots.

The Cybersecurity Infrastructure Security Agency (CISA) has warned that ransomware attacks, in particular, pose a heightened risk to the elections. According to the study, the fear of ransomware attacks feels real to the vast majority of responding government employees, with 73% expressing concerns about threats to U.S. cities.

Public education

Public schools have emerged as a growing target for cybercriminals in 2019, ranking as the 7th most targeted industry. Ransomware impacted school districts in New York, Massachusetts, New Jersey, Louisiana and other states last year.

The study found that education respondents had the lowest amount of cybersecurity training compared to other surveyed state and local professionals. In general, 44% of those from the public education sector said they hadn’t received basic cybersecurity training, and 70% said they hadn’t received adequate training specifically on how to respond to a cyberattack.

With low training numbers, the majority of education respondents aren’t overly confident in their ability to recognize and prevent a ransomware attack – confidence is nearly 20% lower than other state and local employees surveyed.

Calling on the federal government

With ransomware attacks against cities likely to continue in 2020, both U.S. government employees and taxpayers believe the federal government should step in to assist.

The survey shows 78% of government employees believe the federal government should provide assistance to communities in responding to cyberattacks, echoing sentiments from the study where 50% of U.S. taxpayers said it’s the federal government’s responsibility to protect cities from ransomware.

The majority (76%) of state and local employees also believe cyberattacks warrant emergency support, similar to those used for natural disasters.

Positive progress and the path forward for cities

While the study details where work needs to be done in preparing cities for cyberattacks, the results also showed some improvements made since last year.

ransomware attacks preparedness

When asked whether they had seen any increases in preparedness and concern for cybersecurity in their departments, government employees surveyed claimed they had seen more improvements than not, and nearly 70% think their employers are currently taking the threat of cyberattacks seriously.

City and state employees ranked ransomware #3 among the threats they were most familiar with – demonstrating that well publicized attacks are increasing awareness.

How to test employee cyber competence through pen-testing

Social engineering hacking preys on the vulnerabilities inherent in human psychology, so it’s vital for organizations to test employee cyber competence.

test employee cyber competence

Take the Nigerian 419 scam as an example – the scammer tries to convince the victim to help get supposedly ill-gotten cash out of their own country into a safe bank, offering a percentage of the money for their participation. While “Nigerian prince” emails have been scamming people for decades, it’s still an effective social engineering technique that people fall for.

Employees post a huge threat to your organization if they’re not properly trained and educated on their role and responsibilities when it comes to cybersecurity. To weed out the vulnerable workers that may require some extra learning, your organization can utilize social engineering pen-testing.

Employees are the first line of defense

Your employees are truly the first line of defense to keeping your company safe and secure. Employees need to understand how their personal social media habits and oversharing information online can have a direct correlation to the safety of their companies. With the amount of information shared on platforms such as LinkedIn, Facebook, Twitter, and Instagram, hackers can gather information to build trust with the victim or even assume the identity of someone in your social circle.

In other cases, employees lack the knowledge to identify cyber threats, and therefore, fall victim to the attack. Threats such as phishing emails, tailgating, and baiting may seem very legit to an employee that has no reason to be skeptical. Why wouldn’t you open an email from your boss on vacation that’s asking you to transfer money for him? Why wouldn’t you open the door for a colleague who happened to leave their keycard at home that day?

Social engineering hacks infiltrate your organization by “hacking the human brain” and preying on its vulnerabilities. Without a general understanding and training on how to identify cyber threats, employees will remain a target for cybercrime.

Make employee training a priority

Seek out comprehensive training services to prepare your employees to recognize and avoid the latest cybersecurity threats to safeguard your organization. You’ll want to find a cybersecurity training program that is unique to your organization’s vulnerabilities. Different industries, like legal services, healthcare, financial services, or retail and hospitability, have different needs to meet compliance standards.

For example, law firms and others in the legal services field have strict requirements that cover both the handling of paper documents and digital security. Custom employee training programs for legal services will help staff adapt to the latest technologies and reduce liabilities with best practices in data hygiene and physical security.

The same training program that focuses on your industry should also be customizable to an employee’s role within the company. Some examples being that paralegals should worry about spoofed emails from court systems, wait staff at a restaurant should focus on credit card theft or identify fraud, and financial advisors need to be cautious when wiring money to and from their clients’ accounts.

Another crucial aspect of employee cybersecurity training is teaching your staff the importance of digital hygiene and how to keep their online data organized, safe, and secure from outside threats. This can be established through digital hygiene practice and data-loss prevention methods. Educate your employees on the value of information and how to properly share it at different levels. This will help protect against accidental disclosures.

Going back to oversharing on social media, training can help employees better understand social media hygiene and better gauge when and where it is appropriate to share personal information. If employees are aware of how the information they post can be used, they’ll be less likely to make that information so easily accessible to hackers.

One-time-training isn’t going to cut it. Frequent training sessions for employees are crucial to highlight new social engineering hacks that are being seen by experts as well as keeping best practices fresh in employees’ minds. Regular sessions keep information active in the brain and not pushed to long-term memory.

Just to keep in mind for your non-technical minded employees, short, 5 to 10-minute micro-training sessions will help allow for more information to be absorbed than the typical annual one-hour training session.

Test employee cyber competence

Your employees have gone through training programs and are more aware of their responsibilities. It’s time to put them through the test – you can do this by utilizing social engineering pen testing to evaluate your employee’s level of cyber awareness through simulations. Hiring an outside penetration testing firm to run your security preparation through the paces is ideal since a third party can bring to light issues that may have fallen into the companies’ blind spot.

The value of social engineering pen testing is that it will uncover security weaknesses in the following areas:

  • Physical security (of the entire building)
  • Corporate security policies connected to proper usage and disposal of sensitive data
  • Employee’s security awareness and implementation – you will see if the staff needs additional security training

Social engineering pen-testing can be used on your employees, either offsite or on-site. Offsite testing is designed to make employees divulge information intended for internal use only. You can attempt to compromise employees through methods of phone phishing, e-mail phishing or SMS phishing. A pen tester would send employees an e-mail with a link to files containing malware. For example, staff members may receive an e-mail that informs them they’ve won a vacation. If employees fall into the trap, they’ll click the link, giving the pen tester access to the target’s corporate account. A test of this nature will provide the organization with analytics on how many employees clicked the link, or which employees are the biggest threat.

On-site penetration applies various techniques to gain physical access to the office of the target company. This can include impersonation of employees or clients, dumpster diving, and physical honey pots. One way to test employee cyber competence through this method is to try out impersonation. Have a pen tester impersonate a tech support worker to gain access directly to the company’s network. The pen tester can launch a USB thumb-drive on the target computer and compromise the company within seconds. You can then analyze the employees that were easily targeted and fooled by the imposter.

Take a dumpster dive into your employee’s trash bins. Have they left printouts and pieces of paper with critical information? Was the paper shredder not used to get rid of data? This is an effective way to see which employees may not be cautious with sensitive corporate information.

Takeaway

You may think your organization is safe, but it only takes one individual to jeopardize the security of the whole company. Social engineering pen testing is an efficient way to identify where your employees stand when it comes to cybersecurity best practices. Making employees aware is the key, and results from pen testing can help drive this awareness.

Pen testing also provides valuable metrics – education and training without metrics fail to show if people are learning and putting what they’ve learned to use. Testing employees when they don’t know they’re being tested enables real insight into their cyber awareness and how you can best train them. With your employees being your biggest cybersecurity vulnerability, training is the most cost-effective way to safeguard your organization.