In recent week Kenya was on the cyber security headlines after OpAfrica(Anonymous Africa Operations) leaked 1TB of data from the Ministry of Foreign affairs. The hacking group successfully compromised the ministry’s ICT infrastructure thanks to a phishing email sent to users . The phishing email was purporting to be from a Zimbra admin advising users to urgently updgrade their Zimbra server or lose control over their email. Urgency and fear are typical in such attacks so that user quickly acts without much thinking.
Need for an Security Awareness Training (Credit: Renga S)
Could this have been prevented?
Yes and No. Let’s start with the ‘Yes’ side, if Ministry’s email users were aware of phishing attacks and how to easily pick out a phishing scam probably the OpAfrica may not have been successful this time. The scenario would have been different, user would have paused and though “mmmh Am I the one responsible for upgrading servers? May I should contact the IT department for clarification on the upgrade.” An aware user will make use of their common sense.
User awareness isn’t conducted when you notice you are being attacked but should be a continuous endeavor enlightening users on how to stay alert, detect and report incidents. IT Security starts with the people.
No??? OpAfrica would still have persisted and opted for more complex attack vectors to get what they wanted. No one is immune from hacking (Individuals, corporate and governments).
Users will betray you for 30 pieces of silver (Or even less)
The above incident couldn’t miss featuring at Villbo Group briefs and we decided to do a spot check on whether organizations are able to detect and prevent themselves from the easiest and most attack vector – phishing. The results just validated global research done in recently.
Alarming percentages on spear-phishing attacks (Credit: Cybernetic)
One of our staff did some social engeering which just show how easy it is for an attacker to gain entry into an enterprise. Powered by his eyes, mobile phone and smooth talk he was able to pick a target and easily create trust with her which he could used to compromise the enterprise. The target being a cashier whose screen slightly facing our staff – Jimmy*(not his real name) got a chance to check what was on cashier’s screen. She kept on checking Facebook updates and Jimmy was able to pick she was following an upcoming festival . While Jimmy was being served he mentioned he was in a rush as he was one of the organizers of the festival which attracted the cashier who was more than willing to get a complimentary ticket. Jimmy offered to send her a link on Facebook with details of how to claim the complimentary tickets. If Jimmy proceeded to send her the link I bet you she would have run to fill details and click/download anything that was on the link. As simple as it sounds the entire organization security would be betrayed with just a click!!!
How to succeed on your Security Awareness Programs
Show don’t tell – Don’t just define the latest security threats (that’s education) awareness is enlightening user on security threat and how it impacts their professional & personal life’s. Show users how to identify a phishing email from an actual phishing email and let training be interactive. This empowers users to make informed decision when they receive suspicious looking emails.
Common sense – Emphasis on use of common sense. Think before you click. If you are not expecting a delivery from DHL ignore all emails purporting to be from the courier company. Same case if you not betting on Sportpesa don’t expect to be win the jackpot and any email/sms/call on the win is just a scam.
Learn on the Go – One recipe for failure is getting users into boardrooms to follow through lengthy Powerpoint presentations. Research shows that on average an employee spends 2-3 hours commuting to work and back home. During those hours employees are glued on their smartphones while on the train, buses & personal vehicles – keep them busy as they learn how to secure your corporate. Mobile content that can be accessed at any time is a win for your program.
Make it personal – Let the program communicate how the cyber threats affects employees personal life, their kids, shopping experiences etc. Employee will pay attention and take more care if you inform them how a wrong click can lead to their personal bank account being wiped clean.
Fun, Fun,Fun – You are creating awareness not training CIA though users need to know about C.I.A( Confidentiality, Integrity & Availability) as the principles of Information Security. Training programs need to be interactive, engaging and be fun to learn.
Villbo Group partnered with the Security Awareness Company to deliver Security awareness training that creates “Human Firewalls’ that cyber criminal find hard to crack. Our common philosophy on “keep it simple and teach the basics” guides the development of content that users find easy to grasp and is applicable in their professional and personal life’s. The users – Human Firewall is able to identify threats, prevent attack and report incidents to the responsible personnel. Get in touch with our team for more details of how we can design an awareness program that addressed your security concerns.
Credit to Villbo Group and SAC team.
2018 © Villbo Group Limited.