Your Achilles Heel

Organisations just like yours have been providing Cyber Security Awareness training to their employees for some time now. Often this is because security certifications like the payment card industry’s data security standard (PCI-DSS) require that there must be a suitable security awareness program in place in your organisation.

Whether your organisation is the victim of a Cyber Security incident or not may depend on how seriously you treat Cyber Security Awareness training.

Why is that?

Unfortunately, some organisations treat Cyber Security Awareness as a simple box-ticking exercise.

Auditors will typically check that employees have attended an annual training, but that is no guarantee that the quality of the training content was any good, that it was understood by attendees, or that their behaviours changed after the training ended.

Why Are Remote Workplaces High Risk?

Insecure Wi-fi

Every Wi-fi standard that has been released since the 1990’s has inherent security weaknesses.

In an enterprise environment these weaknesses can be mitigated by using specific configurations and higher levels of security with 802.1X authentication and strong AES encryption.

But in a typical home network Wi-fi is often insecure, it can be intercepted, and network traffic captured using a man-in-the-middle attack.

Worse still, using a shared public Wi-fi network can mean that you are sharing a network with users who may have compromised devices which can easily spread malware to your device.

Excessive VPN Access

Traditionally network managers will segment networks in an organisation to ensure that only workstations with specific IP addresses can access certain network resources.

For example, an organisation’s accounts department may have workstations in a network with IP addresses that look like 172.16.200.15 and firewall rules are used to enforce a policy to grant workstations with these IP addresses access to the accounting services.

However, the same granularity is often not applied to remote VPN access.

Why not?

Unfortunately, during the Covid-19 pandemic, many organisations were forced to implement remote VPN access under pressure from management, and there is a risk that all users were granted IP addresses in the same common block.

This means that in many organisations, software developers now could have network access to accounting services, and accounting staff may have network connectivity to systems containing source code.

This makes the spread of malware much more likely because the attack surface of the organisation has been expanded.

Ineffective Remote Management

In an enterprise network, workstations are remotely managed by IT departments so that they can install updates to operating systems like Windows and to patch known vulnerabilities.

When users are remote or mobile, enforcing the installation of updates and patches is often problematic. This is because users may be offline for long periods of time or may have limited network bandwidth.

Why is this such a big deal?

Critical vulnerabilities in software are discovered frequently.  For example in January 2020 the NSA (unusually) announced a severe vulnerability in Windows 10 that could mean that fake websites and software would be trusted by Windows 10.

When critical vulnerabilities like this are found in Windows, it is imperative that updates are installed immediately to patch the vulnerability.

Critical updates like this are often difficult or even impossible to enforce in a remote workplace, which leaves corporate workstations more vulnerable to a Cyber-attack.

Risky Personal Usage

In modern office workplaces it is common for users’ personal use of an organisation’s computing assets to be monitored or controlled, typically using active directory group policies and web filtering proxies from the likes of Bluecoat and Forcepoint. This is backed up using written acceptable use of assets policies.

But these web filtering controls are not always implemented for remote workers and may even be difficult to enforce because of the lack of sufficient control of browser configuration.

Also, many companies don’t restrict a user’s ability to change proxy settings or install additional browsers that bypass existing browser controls.

This means that some users may be bypassing web filtering proxies, or using alternative web browsers and browser extensions that are not updated when vulnerabilities are found.

In addition, users are more likely to click on malicious e-mail links, visit suspect websites, and share untrusted USB storage devices when not in a shared central office environment.

Workstations may be shared with family members, without any regard for the associated dangers.

Worse still, users who have administrator privileges on their workstations may install untrusted software if software installations are not prohibited by an enforced policy.

Public Exposure

The biggest risk associated with remote working is the careless use of corporate workstations in public places like coffee shops, airports, and hotels.

Connecting to untrusted public Wi-fi networks means that workstations or smartphones can be exploited by others sharing the same public network, passwords can be captured, and even encrypted communications can be intercepted.

Unattended workstation in hotel rooms is at risk of evil maid attacks, where full disk encryption passphrases can be captured.

Even leaving a laptop logged in and unattended for 30 seconds can result in malware being installed via USB ports using the $49 USB rubber ducky.

To make matters worse, some organisations are still not encrypting disks by default, despite full disk encryption being available for some years now with Microsoft’s BitLocker and Apple’s FileVault.

What to Cover in Cyber Security Awareness

There is no one-size-fits-all in Cyber Security Awareness training.

Whether you work in a University, a large government department, a multi-national corporation or a small startup, users' knowledge of Cyber Security and IT will vary.

But whatever the size of organisation one thing is clear. The Cyber Security Awareness training you provide must be effective and deliver results.

The following mind map illustrates many of the things you will need to keep in mind when looking for effective commercial Cyber Security Awareness training, or when creating your own.

How To Improve Security In Remote Teams

I recently asked people who work in local government authorities what they thought was missing from today's Cyber Security Awareness training.  Many of them said that the big issue was remote working.

Improving Cyber Security for remote teams is not just about better more focused training, although this will help.

Remote workplaces will continue to be vulnerable as long as organisations are not mitigating the risks associated with mobile working by evolving their Cyber Security tools and processes to close the loop in Cyber Security controls for remote workplaces.

The following 6 Cyber Essentials if implemented properly will mitigate the risks associated with remote working.

• Effective Training
• Secure Firewall Policies
• Secure System Configuration
• Effective Malware Protection
• Effective Access Management
• Effective Update Management

What If You Want To Put This In place

Whether you are an early stage startup delivering Cyber Security Awareness for the very first time, or you are a larger established organisation and you are updating your Cyber Security Awareness program, you have many options.

There is a lot of free content available for example on YouTube and sites like Udemy and Coursera. And although some of this can be useful as a starting point, it is unlikely to be comprehensive or targeted to your specific needs.

There are also many commercial organisations that provide Cyber Security Awareness training either online or at your office, but this is costly and often is not relevant to your workplace scenario.

So what if you want to develop your own Cyber Security program from scratch, and you don't know where to start?

If you have technical people on your team you can implement your own learning management system (LMS) using an on-premise or Cloud server, and software like WordPress can help you implement this.

But if you are non-technical and just want to publish your content to an existing LMS, then have a look at the Kajabi online training platform 30-day trial.

If you need help in implementing your own LMS and Cyber Security Awareness training content then do go ahead and contact me on Telegram.

Famous Last Words

In conclusion, the biggest risk to Cyber Security in an organisation is not deficiencies in Cyber Security controls, but Cyber Security Awareness. It’s often the actions or inactions of employees that cause security incidents.