Business + Partners

Unexpected Side Effects: How COVID-19 Affected our Click Habits

Phishing has been around for ages and continues to be one of the most common threats that businesses and home users face today. But it’s not like we haven’t all been hearing about the dangers of phishing for years. So why do people still click? That’s what we wanted...

Key Considerations When Selecting a Web Classification Vendor

Since launching our web classification service in 2006, we’ve seen tremendous interest in our threat and web classification services, along with an evolution of the types and sizes of cybersecurity vendors and service providers looking to integrate this type of...

4 Ways MSPs Can Fine-Tune Their Cybersecurity Go-To-Market Strategy

Today’s work-from-home environment has created an abundance of opportunities for offering new cybersecurity services in addition to your existing business. With cyberattacks increasing in frequency and sophistication, business owners and managers need protection now...

Ransomware: The Bread and Butter of Cybercriminals

Imagine a thief walks into your home and rummages through your personal belongings. But instead of stealing them, he locks all your valuables into a safe and forces you to pay a ransom for the key to unlock the safe. What choice do you have? Substitute your digital...

Reducing the Time to Discovery: How to Determine if You Have Been Hacked

For most small businesses, the chances of falling prey to a long-term covert surveillance operation by well-resourced, likely state-backed actors are slim. To recap, that is what the evidence suggests happened in the SolarWinds compromise discovered last December. Many believe the company’s Orion update was used to conduct cyber espionage for months prior to being discovered.

However, data shows the time to detect a data breach for businesses averages 280 days, according to research conducted by IBM and the Ponemon Institute; a significant gap between the time a network is compromised and its discovery. This shows that stealthily surveilling a network is not a tactic exclusive to highly sophisticated threat actors targeting enterprise businesses.

What would reducing the time to discovery mean for small businesses? Likely it would mean less of their data on the dark web, fewer important pieces of intellectual property leaked, ransomware attacks thwarted or less reputational damage to companies.

Here are some ideas IT admins can use to detect a network compromise sooner, potentially limiting the damage of an adverse cyber event.

Consider booby trapping your network

As swashbuckling as it sounds, adopting an “offensive defensive” posture against cyberattacks can help your organization level the playing field against attackers. Because so much of cybersecurity relies on passive forms of protection (think firewalls, antivirus solutions, password protection, etc.), hackers have an asymmetrical advantage when probing defenses. Passive protection is good and necessary, to be sure, but network “booby traps,” sometimes called canary tokens, can help reduce the advantage held by hackers.

These measures may include setting up a domain administrator account that is bound to look like a juicy target to a network intruder. It may be configured according to default settings or with a particularly weak password – some way that makes it easy for a determined hacker to access. Once inside, though, the intruder’s presence triggers alarms alerting IT staff that an attack is underway and even locking out the suspicious user.

Researchers have laid out several ways booby trapping could work, but all rely on the principal of an action being taken by an attacker that would typically not occur otherwise. While they may not reveal who is behind the attack or their motivations, booby traps trigger a response alerting admins and allowing time to react.

Configure and pay close attention to failed login attempts

Allowing attackers unlimited tries at cracking passwords is never wise, but sometimes the configurations for preventing this are overlooked. This is especially dangerous when remote desktop protocol (RDP) is enabled. RDP-enabled machines can often be located using search engines like Shodan.io, making them sitting ducks for attackers armed with brute-force tools.

When configured properly, however, RDP and other password protected tools should lock users out after a given number of incorrect attempts and alert an admin. This would force a user, legitimate or otherwise, to wait some predetermined time before attempting to login again. Reaching out to the locked-out user could then help determine if the credentials have been stolen or if it is a genuine case of “fat fingers.”

If credentials have been compromised, it is a good idea to force password resets and keep an eye out for further failed login attempts. If there is no limit to the number of times a password can be tried without being timed out, an organization may never know it is in an attacker’s crosshairs.

Monitor anomalous web traffic

Skilled threat actors like those involved in the SolarWinds attack take steps to conceal their true locations when attempting to compromise a network. This can prevent alarm bells from ringing when, suddenly, an IP address from Eastern Europe is trying to connect to a network housed in Silicon Valley. Other times, malicious hackers do not have the skills or resources to cover their tracks. Their attack may also be so broadly aimed they simply do not care to.

That is why the difference between looking for malware and looking for “weird stuff” matters. It takes time to gather the data to truly know what constitutes “anomalous activity,” but once it is there it can automatically alert admins when it occurs. This could include communication with previously unknown IP addresses or uncommon application traffic patterns. In other words, a platform that has never talked to a domain in China but now does so often should be cause for alarm.

Monitoring access lists, including who is logged into what and whether anything is out of the ordinary, is another good option for spotting potential breaches early on. These so-called “spot-checks” can be too resource intensive for small businesses without dedicated IT positions, and too expensive to farm out to MSPs, but they are good to consider for businesses with dedicated IT resources.

Staying on guard against attacks

The best strategies for ensuring cyberattacks are not successful – and do not go unnoticed if they do – involve a mix of active and passive defenses. But poor configurations can undermine both. While small businesses are unlikely to become targets of highly skilled state-sponsored attackers, there are steps they can still take to make sure defenses are not undermined by the same common tactics.  

Here are a few quick tips:

  • Do not rely on the default configuration for RDP. Enforce 2FA and passwords time outs.
  • Disable powerful tools like PowerShell, Office macros and WMI where not needed.
  • Limit access rights on your internal network so that only those who need access have it.
  • Strictly control access to the dev and QA processes if these take place within your organization.

Fools Rush in: 5 Things MSPs Should Know Before Adopting EDR

Buzzwords and acronyms abound in the MSP industry, an unfortunate byproduct of marketing years in the making. Cybersecurity is a hot watercooler topic at any business. Well, now probably more likely a virtual happy hour than a watercooler, but nevertheless cybersecurity remains top-of-mind.

To sleep at night, MSPs feel they must enhance or expand their security offerings beyond the standard layers, like; firewalls, firewall filtering, active directory protocols, DNS Filtering and antivirus/malware detection. One of the ways many MSPs feel they can satiate their cybersecurity concerns involves buzzword-y new acronyms floating around involving “EDR” or endpoint detection and response. But what is EDR really and what can it do for MSPs and their clients?

But first, besides EDR, there’s also ADR, MDR, xDR and the industry can surely expect newer blank-DR acronyms coming in the next few years. What are all these acronyms and how do they help MSP protect their clients? Here are a few definitions:

  • EDR (Endpoint Detection and Response) – Technically, every security agent sitting on an endpoint is an EDR solution. The information the agents feed back to administrators determines what action to take and when.
  • ADR (Automatic Detection and Response) – Newer technology allows the agent to automatically make a decision without human intervention. Ideally, ADR automatically remediates a situation and reports to the administrators on action taken.
  • xDR – This newer acronym refers to agents across a network communicating to make a remediation decision or report decision across multiple endpoints.
  • MDR (Managed Detection and Response) – A best-of-breed solution using EDR, ADR and possibly xDR tools in various combinations, MDR allows a human team to make decisions and respond to situations. While more complex and administrative heavy, MDR closes the gap that arises when suspicious applications are being monitored and observed, but not reacted to by an ADR or xDR solution. Human-driven MDR ferrets out the suspicious and reacts.

Here are five things MSPs should consider when evaluating EDR solutions:

1. All security tools with an endpoint agent are basically EDR.

Their job is to detect malicious code, applications, scripts or other malicious files and make a status determination on the fly. Most security agents use various methods like physically scanning file hashes, scanning file content, watching behaviors, looking at scripts, detecting known attack surfaces and other techniques to try to ascertain if a newly encountered file is good or bad.

How the security agent reports its activity depends on the EDR tool. So, while many security tools claim they offer an “EDR” solution, the key is to determine the level of threat, suspicions and action taken in reporting or alerting that adds value for MSPs.

2. The “R,” or response, is key to a successful EDR solution.

While many security tools report and alert, the level of response is the most important aspect of any security practice. If the security agent provides minimal information for decision making, it’s of limited use to the technical personnel responsible for intervening.

On the other hand, technicians can take advantage of security tools with consoles that display alerts, reports and visibility into whether an agent responded, how and the agent’s current status. Too often tools don’t provide necessary insight for reviewing or comparing threat data or approaches – like the MITRE attack framework or other sites with relevant threat information.

Solutions with a more comprehensive API  are advantageous for custom review, integration into more dedicated threat review tools or for alerting through a log gathering and reporting tool. APIs are valuable for providing added information from which human technicians can make decisions.

3. What can be done with the EDR information? Is it actionable?

Once a tool has been selected, what should be done with the information it provides? Answering this is key to successfully setting EDR expectations for customers. If a client requires an MSP has an EDR solution in place, installing an agent is only half of the equation.

Gathering the information into a comprehensive tool or suite can be daunting. If the security solution provider has tools like alerts, reports or an API, start there. However, these tools are often limited and need to be supplemented by a solution with higher performance or a faster response time.

Log gathering tools are a higher performance option that allow many tools to feed into a single system. Once such a solution is in place, the next challenge is to build rules for sifting through the millions of ingested points of information. These rules provide human reviewers  more details for making decisions. It may take several cycles to hone in on the rules that lead to successfully spotting suspicious or malicious activity and protecting customers.

4. Understand what’s behind the EDR hype.

What’s the buzz around EDR and why has it become such a topic for discussion? Fair question considering level of effort to stand up, manage, monitor and address a situation when it arise can be costly and time consuming. Simply having a security vendor “supports EDR” isn’t enough. Selecting a check box to satisfy a requirement is, again, only half of the equation.

So, why go through the time and expense of implementing EDR? Here are three top reasons:

  • Cybersecurity insurance – With the rise of breaches across business and public sector landscapes, cybersecurity insurance on the rise. Many providers have requirements from governance to tools that meet a specific scope. EDR is one such requirement.
  • Good practice – Having layers of protection for customers is important. Extending security offerings by adding an EDR solution with a process will increase that security footprint.
  • Managed Security Service Provider (MSSP) – More and more MSPs are adding value to their customers by adding cybersecurity-specific services. With cybersecurity challenges on the rise, many service providers can increase revenue and provide greater security posture for their customers. Implementing an EDR solution will contribute to that effort.

5. Plan out next steps for adopting EDR at your MSP

  • Evaluate the need. Investing in potentially costly new solutions because of a buzzword is not advisable.
  • Determine the level of effort required to adopt an EDR solution and devise a plan for doing it.
  • Review existing tools and determine if existing solutions are being leveraged most effectively today.
  • Build the team. Part of the plan for adopting EDR should include designating a security team to both manage the solution and respond to its findings.

Simply selecting ticking an EDR box won’t necessarily contribute to client security. MSPs should evaluate the needs EDR will satisfy, the level of effort it takes to implement and how EDR fits into their overall service offering. Vendors won’t hesitate to offer “EDR solutions,” but it’s up to the MSP to properly implement and establish process to support expectations. Simply having the solutions does no good. EDR done right requires the additional team focus, rules, review and responses. Implement an EDR offering with caution and planning.

The NSA Wants Businesses to Use DoH. Here’s What You Need to Know.

Most people would categorically agree that increased privacy online is a good thing. But in practice, questions of privacy online are a bit more complex. In recent months, you’ve likely heard about DNS over HTTPS, also known as DNS 2.0 and DoH, which is a method that uses the HTTPS protocol to encrypt DNS requests, shielding their contents from malicious actors and others who might misuse such information. It can even address several DNS-enabled cyberattack methods, such as DNS spoofing or hijacking. On the other hand, obfuscating the content of DNS requests can also reduce admins’ visibility and control, as well as negatively affect business network security.

Ultimately, this DNS privacy upgrade has been a long time coming. While its creators’ original 1983 design has undoubtedly proven itself by scaling to meet the demands of today’s internet, privacy just wasn’t a consideration 38 years ago; thus, the need for DoH.

“Privacy just wasn’t a consideration 38 years ago; thus, the need for DoH.”

When weighing the obvious privacy and security benefits against the visibility and potential security drawbacks, some businesses are having difficulty managing these new protocols. That’s likely why the NSA recently released a guide that not only explains the need for DoH, it strongly recommends that businesses protect their networks from rogue DNS sources to improve their network security. But what their guide doesn’t really focus on is how.

Correctly managing encrypted DNS can be very challenging. According to Jonathan Barnett, Webroot sr. product manager and DNS security expert, here’s what businesses need to know about the NSA’s guide and how to successfully embrace DoH.

What does the NSA guide recommend?

The NSA supports the privacy and security improvements DoH provides. However, they also recommend that DNS be controlled, which may leave some admins scratching their heads.

“The enterprise resolver should support encrypted DNS requests, such as DoH, for local privacy and integrity protections, but all other encrypted DNS resolvers should be disabled and blocked.”

What does the NSA caution against?

The NSA specifically warns about applications that can make DNS requests for themselves. Previously, if an application needed DNS, it would ask the local system for the resolution, ideally following whatever configuration the admin had set. These requests would then be sent to the network DNS resolver. This process provides a wealth of information to the network, helping with visibility in the case of a malware attack, or even in the event of a user accidentally clicking a phishing link.

With DNS encryption like DoH, this visibility not only disappears, but now DNS itself becomes incredibly difficult to control. The real challenge comes in as DoH hides the DNS requests using SSL, just as your web browser does when connecting to your online banking website. With this method, DNS requests appear as regular website traffic to most firewalls and networks, and can’t be identified by them as legitimate or malicious.

What other challenges should I consider?

DoH is fairly early in its adoption and only a few applications currently use it, though adoption will continue to grow. In North America, Mozilla Firefox uses DoH for DNS resolution by default. Other browsers, such as Google Chrome and Microsoft Edge have also begun to support DoH, though their default behavior will not enable DoH on most business networks.

Worth noting is that Microsoft itself has yet to support DoH on their DNS servers, so enforcing the NSA’s recommendations may be somewhat difficult. Additionally, as DoH traffic runs on port 443, just like a secure connection to a website, it is not easily regulated or blocked. You can’t just block port 443 at your firewall either, as this action would also block all secure websites. You could block some of the known DoH providers, but as with any new technology solution, more DoH resolvers appear daily.

How does Webroot address security with DoH?

The Webroot® DNS Protection agent already secures DNS requests by using DoH for all of its communications and leverages the power of Webroot BrightCloud® Threat Intelligence to identify and block alternate DoH connections. Our DNS Protection solution also includes an option to echo all DNS requests to your local resolver, so it maintains visibility into the DNS requests being made, leaving intact the powerful information provided by DNS.

Essentially, with a solution that works like Webroot DNS Protection, you still get the power of DNS filtering while also benefitting from DoH encryption. This protection secures remote and on-site users, devices, and networks, effectively fulfilling the NSA’s recommendations.

Hacker Personas Explained: Know Your Enemy and Protect Your Business

In today’s rapidly evolving cybersecurity landscape, the battle for privacy and security is relentless. Cybercriminals are masters at using technology and psychology to exploit basic human trust and compromise businesses of all sizes. What’s more, they often hide in plain sight, using both covert and overt tactics to cause disruption, steal money and data, and wreak havoc with MSPs and SMBs.

While cybersecurity advice is often focused on technology like endpoint protection, firewalls and anti-virus, it’s important to remember that behind every breach is a human. Knowing who they are and why they target your business is essential to remaining cyber resilient.

As we mentioned in a previous blog, hackers come in many forms, but their methods can generally be classified into three distinct types of cybercriminals:

  • The Impersonator – Hackers that pretend to be others, often using social engineering and human psychology to trick users.
  • The Opportunist – Hackers that exploit public events and socio-political crises for disruption or personal gain.
  • The Infiltrator – Hackers that target specific organizations and work to breach systems using a variety of tools and tactics.

Each one has their own methods and protecting against them requires a multi-layered approach. Let’s look at a few primary examples.

Who is the Impersonator?

An impersonation attack recently made headlines with the 2020 Twitter/Bitcoin scam, in which 130 high-profile Twitter accounts were compromised by outside parties to steal bitcoin. The perpetrators gained access to Twitter’s administrative tools in order to pose as legitimate CEOs and celebrities to trick users into sending bitcoin with the promise of doubling their investment. Unfortunately, attacks like this work, and the hackers received $121,000 that was never paid back. This is a scam that’s been around for years and since no one can reverse a cryptocurrency transaction, it’s very likely here to stay.

This type of cybercriminal manipulates victims into opening doors to systems or unwittingly sharing sensitive information by pretending to be someone you would inherently trust. The most notable attack is the “Nigerian prince” email scam, also known as “foreign money exchange” scams. These typically start with an email from someone overseas claiming to be royalty, offering to share a financial opportunity in exchange for your bank account number. Nowadays, you’re more likely to receive an email from your boss’ boss asking for gift cards or money, but these scams are still active in many forms, as the Twitter attack shows.

Impersonators are known to use phishing, Business Email Compromise (BEC) and domain spoofing to lure victims, and they’re always looking for new ways to innovate. In fact, our 2020 Threat Report found that impersonators are now imitating legitimate business websites to release malicious payloads or steal data, and a shocking 27% of phishing sites use HTTPS to trick the user into clicking phishing links, which makes these attacks even more dangerous. It’s easy to assume an official-looking website with an HTTPS address is safe, but hackers can also use HTTPS sites to launch phishing emails and distribute BEC scams as obtaining SSL certificates is trivial now. This is why a multi-layered approach that can block phishing sites (including HTTPS) in real time, is key for staying safe.

What Does the Opportunist Want?

While attacks of opportunity are nothing new, the tactics of the opportunist have gone to a new level with the recent coronavirus pandemic. According to our COVID-19 Clicks report, at least one in three people have fallen for a phishing email in the past year. This year has been all about the pandemic and the fear surrounding it. These phishing attempts often appear in the form of articles about the best ways to avoid coronavirus or links to documents that have lists of people with COVID-19 “in your area.” These documents will ask users to enable an embedded macro that then delivers malware, usually in the form of ransomware. Over 90% of malware campaigns used the pandemic in their initial phishing email this past year.

Opportunists wait for the right opportunity to strike, and just as impersonators take advantage of trust, opportunists also rely on trust and familiarity to deceive users into downloading malicious payloads. Unlike other hackers, however, they don’t have specific victims in mind. The opportunist capitalizes on urgency, fear and unpreparedness to catch as many victims in their net as possible.

As we point out in a popular Hacker Personas podcast, other opportunist attacks like those exploiting U.S. government stimulus payments are also on the rise. Business leaders in particular should watch out for these tactics, as phishing emails can compromise company devices. With the increase of remote workers using unsecured systems and personal devices to access corporate networks, all businesses are at risk from opportunists who bait remote employees.

How Do Infiltrators Breach Systems?

One of the best examples of an infiltration attack is the 2020 SolarWinds breach, in which a foreign state hacked the SolarWinds supply chain to infiltrate at least 18,000 government and private networks including over 425 of the fortune 500. Nation-state hackers took advantage of   SUNSPOT malware to insert the SUNBURST backdoor into software builds of the Orion platform, and unbeknownst to SolarWinds developers, they released it as a normal update to their customers. Several significant US agencies, including parts of the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the Treasury were attacked. What’s more, the fallout of this attack is still ongoing and we may never know the full damage.

The Infiltrator is the opposite of an opportunist in that they target specific victims and have a clear-cut approach to getting what they want. Rather than casting a wide net and hoping for the best, they usually know the system they want to infiltrate, and they use stealthy measures to breach systems, often coming away with a large payout in the form of a costly ransom to criminal enterprises or valuable intel to nation states.

What Steps Should MSPs and SMBs Take to Stay Cyber Resilient?

If knowing your enemy is the first step to protecting your business, the next step is to develop a strong cyber resilience posture that protects against their attacks. Part of that is understanding that cyberattacks are often a matter of “when, not if.” Even if you’re not the target of an infiltrator, for example, your business or employees may be the unknowing victims of an opportunist or impersonator.

Protecting your business includes:

  • Implementing a multi-layered cybersecurity approach that includes complete endpoint protection, firewalls, real time anti-phishing as well as Security Awareness Training
  • Continuously educating and training employees, staff and customers to follow cybersecurity best practices and to stay up to date on cyberattack news
  • Using a backup and recovery solution that can restore critical files after an attack and keep the business up and running during a crisis.

To learn more about hacker personas and strategies to protect against their various attacks, check out our eBook, Hacker Personas: A Deeper Look Into Cybercrime. You can also follow our Hacker Files and Lockdown Lessons series that include a variety of guides, podcasts and webinars covering these topics and more.

How IT Will Prevail in the 2021 Cyber-Demic

While we can all rejoice that 2020 is over, cybersecurity experts agree we haven’t seen the last of the pandemic-related rise in cyberattacks. Throughout the last year, we’ve seen huge spikes in phishing, malicious domains, malware and more, and we don’t expect that to slow down. As employees around the world continue to work from home, 2021 is shaping up to be another year of record highs in terms of malicious online activity.

What is the cyber-demic?

Cybercriminals have always been opportunistic, taking advantage of all possible avenues that disrupt businesses, steal data, trick end users, and more to turn a profit. As the threat reports Webroot produces each year have shown — not to mention the increasing number of major hacks in the headlines — threats keep evolving, and their growth is often exponential. That means even before the pandemic, cyberattacks and resulting data loss were already becoming a case of “when,” not “if.”

Still, the COVID-19 pandemic brought unprecedented surges in threat activity as cybercriminals capitalized on chaos and security gaps caused by the switch to WFH. Particularly by targeting vaccine production and distribution, COVID-19 trackers, videoconference applications, and other pandemic-related topics in their scams, criminals have upped the ante on what would have already been a record year; hence “cyber-demic.”

What types of malicious activities should we expect?

“It’s all about data,” says Matt Seeley, senior solutions consultant at Carbonite + Webroot, OpenText companies.

“Whether you’re a business or an individual at home, your data is important to you. Not having access to corporate data can put companies out of business. Not having access to your personal files can also have devastating consequences. The scammers know how important data is. That’s why stealing it, misusing it, holding it for ransom, or threatening it in some other way is such an effective way to get what they want – i.e., the money.”

– Matt Seeley, sr. solutions consultant, Carbonite + Webroot, OpenText companies

Recent trends in ransomware back up these insights. Thought to be pioneered by the Maze ransomware group, a new tactic emerged in 2020 in which ransomware authors changed their business model. Instead of infiltrating systems to encrypt data and demand a ransomware to unlock it, they instead encrypted the data and further incentivized ransom payment by threatening to expose that data if the victim chose not to pay. Using leak/auction websites, criminals can display or auction off victim’s data to the highest bidder; the cake-topper here is that organizations that are subject to privacy regulations, such as GDPR, PCI, etc., would also have to pay the fines associated with improperly securing sensitive data.

Additionally, the modular nature of modern malware means many malware groups are teaming up to increase their chances of a successful payday. For example, a phishing email might drop a botnet/Trojan that listens for domain credentials. Once the criminals have domain credentials, they can disable security and/or tamper with backups. That way, when they eventually drop ransomware, businesses may have no choice but to pay, since their backups are also compromised.

How IT will Prevail in 2021

“The answer, once again, is data,” says Seeley, “though, in this case, it’s part of overall cyber fitness. If your data isn’t secured, properly segmented, backed up and tested, then 2021 is likely to be a bad year.”

Stressing the need to combine comprehensive cybersecurity layers with proven backup and disaster recovery solutions, Seeley explains, “To bring your cyber fitness up and become more resilient, I recommend businesses start off by assuming they will definitely get breached this year, even if they’ve been lucky and have never been breached before. Once you accept that as your foundation, you can prepare for it. It’s that preparation that’s going to be key.”

Here are his top 3 tips for businesses to stay safe.

  1. Know your data.
    “This is the #1 most important advice I can offer. You can’t secure data if you don’t know where it lives or how important it is. The folks who don’t know their data, who don’t know all the places it resides, how up-to-date it is, or what kind of security it needs, are the ones who are going to suffer the worst if they get attacked or experience some kind of physical damage, like hardware failure or a natural disaster. They’re the ones who, even if they have backups in place, will go to restore their data and realize they don’t have the right information after all. You don’t want to have to learn that the hard way.”
  2. Classify your data.
    “This is part of knowing your data. If you accept that the data breach is going to happen sooner or later, then you need to know which data is mission-critical to get through your day, vs. other historical data that is nice to have, but won’t make or break your business if you lose access for a little while. Once you know the timing of which systems and data need to be available this second and which ones can wait a few days or weeks, you can properly plan your disaster recovery strategy and choose the right backup solutions and schedules.”
  3. Test your data recovery plan.
    “The biggest obstacle to your cyber fitness is overconfidence. Just because you have antivirus and backups doesn’t guarantee your protections will be there and functional when you need them. Bad actors are going to keep getting craftier. They’re going to keep finding new ways to target data. You need to regularly monitor and test your backup and disaster recovery strategy to ensure that your data is exactly as safe and available as you need it to be.”

    For more details on stress testing your disaster recovery plan, read his blog on the subject.

While these tips apply more to businesses than home users, Seeley says the same fundamental principles apply to anyone. “Think about all the data you could lose if your personal computer crashed right now and the hard drive died. Do you have it backed up? Are those backups secure? Do you know all the places your data lives? Do you have protection for it? Whether you’re a business, an MSP, a regular person at home, a student… These are the types of questions we should all be asking ourselves, so we can all be more resilient in this cyber-demic.”

Essential Threat Intelligence: Importance of Fundamentals in Identifying IOCs

The supply chain attack that Trojanized a SolarWinds update to infect and spy on the IT management platform’s customer base continues to be analyzed. Early reports have called the methods highly sophisticated and the actors highly trained. We do know that IP addresses, a command and control server and a malicious product update file were used. While details continue to come to light with further investigation, one thing has been made clear by the incident: the fundamental elements of tactical threat intelligence still have a critical place in a layered cybersecurity strategy.

Tactical threat intelligence typically focuses on the latest methods threat actors are using to execute attacks. It’s examines indicators of compromise (IOCs) like IP addresses, URLs, system logs and files to help detect malicious attacks. This type of threat intelligence is most often deployed in network and security devices like firewalls, SIEMs, TIPs and other tools, and is usually set to apply policy-based settings within these devices based on intelligence criteria.

Recent attacks continue to prove that these fundamental tactical threat intelligence pieces are still critical. While web filtering and URL classification, IP reputation, and file detection and reputation may be less flashy than threat actor profiles and takedown services, they continue to be the building blocks of core threat intelligence elements that are key to stopping attacks.

These IOCs – files, IPs, URLs – are proven methods of attack for threat actors and play a consistent role in their malicious campaigns. Having tactical intelligence concerning these internet items is one key step security and technology providers can take to ensure their users are better protected. For tactical threat intelligence to be effective it must be both contextual and updated in real-time.

Why context matters


Context is what allows threat intelligence providers to take a mass amount of data and turn it into something meaningful and actionable. With context, we can explore relationships between internet objects and better access their risk.

As the recent SolarWinds attack shows, IOCs are often interconnected and rarely only one is used. Seeing the connections surrounding various internet objects, like a benign website that may be one step away from a malicious IP address, allows us to map and analyze these objects not only as they are classified but in their contextual relationships. These relationships allow us to better predict whether a benign object has the potential to (or is even likely to) turn malicious.

Real-time intelligence

Over the course of a year, millions of internet objects change from benign to malicious and back many times as cybercriminals attempt to avoid detection. Showing a single IOC at a single point in time, as happens with static IP blocklists, doesn’t paint the full picture of an object’s activity. Both real-time and historical data, however, canhelp in the development of a reputation score based on behavior over time and common reputational influencers such as age, popularity and past infections. It also helps to protect users from never before seen threats and even predict where future attacks may come from.

Once the fundamental intelligence is present, it’s also critical to make sure policies are enabled and configured correctly to best take advantage of the threat intelligence. In the instance of the SolarWinds attack, when we evaluated the initial data we found that seven of the IP addresses used in the campaign were previously identified by BrightCloud® Threat Intelligence months prior to discovery of the attack. These IP addresses were marked as high-risk and had fairly low reputation scores. In addition, the IPs consistently remained in the high-risk category throughout the year, meaning there was a high predictive risk these IPs would attack infrastructure or endpoints. Depending on the threshold set in the policy, many end users could have already been prevented from experiencing malicious behavior initiating from one of these identified IP addresses.

Necessary, not sufficient

Many security companies treated the Orion software update released by SolarWinds as one coming from a trusted partner. That factor contributed to the widespread success of the suspected espionage operation. It also allowed the threat actors’ reconnaissance operations to go undetected for months.

But Webroot BrightCloud® Threat Intelligence associated the IP address with a botnet in the summer of last year. A properly configured security tool using Webroot BrightCloud Threat Intelligence data would have blocked communication with the command and control server.

When used as part of a wider defense in depth strategy, essential threat intelligence components and proper policy configurations that apply that intelligence can help to make vendors and their partners more resilient against complex attacks.

Four Roadblocks to Increasing Employee Security Through User Training

We’ve been doing our homework, and two things seem to be true about cybersecurity awareness training simultaneously:

  1. It can be very effective at protecting businesses from one of the most common security threats they face (the majority, according to the Ponemon Institute). Namely, phishing.
  2. MSPs, often the single most reliable source of cybersecurity for small business, want to offer training as a part of their services but unwillingness on the part of their clients prevents them from doing so.

If you know, as we do, that one in three American workers admits to clicking on a phishing link in the past year, what’s the reason for such reluctance? Here are four we commonly encounter and how to overcome them.

The “higher-ups” don’t see the value of training

For (the lucky) companies who’ve yet to be hit by a significant cyberattack, security awareness training may not hold obvious value. After all, very few organizations have zero cybersecurity measures in place. “What’s my endpoint security for, anyway?” “Threats are stopped by my firewall.” So the thinking goes…

Even if they see the need for user training from cybersecurity standpoint, some small businesses aren’t sure it’s worth the effort. IT budgets are often strained as it is, and couldn’t those dollars be better spent on the latest high-tech trend in the cyber defense industry?

Well, the numbers don’t lie, as they say. And in survey after survey, anecdote after anecdote, the numbers tell the same story: training works. In our latest survey of more than 4,000 managed service providers, for instance, 59 percent reported more suspicious emails being reported to IT. Thirty-seven percent reported fewer security incidents in general. Our own internal data tells us that our customers who use security training see up to 90 percent less malware than those that use an antivirus alone.

Leadership expects a “set it and forget it” or “one size fits all” experience

Executives will also often back off security awareness training when they realize it’s not a one-time test or a certificate they hang on a wall in their office. It’s true that the most effective cybersecurity training programs are tailored to a specific business and delivered on an ongoing basis.

Ensuring that training is tailored to a business’s operations is one of the best ways to overcome our next objection—that training doesn’t accurately represent the threats facing employees. That means providing industry-relevant compliance training and providing riskier users more training than tech savvy ones. This doesn’t happen by itself.

Persistence is also key when it comes to user security training. Our data indicates that the average click-through rate for a phishing simulation campaign is 11 percent. That drops to eight percent in the second campaign, but by the eleventh it’s down to five percent. Commit to 20 campaigns and you can reduce that rate to two percent.

Training doesn’t mirror real-world threats

Cybersecurity “tests,” especially of tactics like phishing, are of dubious effectiveness. When an employee knows a test is being administered, his or her guard goes up in unnatural ways. Results are skewed by the subject merely knowing a test is underway. Additionally, as any former student knows, studying up on cybersecurity principles is no guarantee of long-term retention.

For training to be effective it needs to be topical and believable. A healthcare provider needs to be familiar with HIPPA compliance protocol, for instance, and be able to identify an email spoofing a large insurance provider.

Real-world training should also mirror real-world events. The COVID-19 pandemic prompted a rise in scams related to the virus, so users should be cautious of any communications that look like they could have been ripped from the day’s headlines. Training that can’t be tailored to this degree won’t be as effective.

Employees aren’t onboard

Several factors can negatively affect employees’ willingness to adopt training. Some may believe they know all there is to know about cybersecurity. Some may believe it’s hopelessly over their head. For some, it’s simply not in their job description and that’s enough to stop them from pursuing training.

Whatever the reason for reluctance, buy-in starts at the top. Executives and other leaders should make it clear to employees that they subject themselves to the same training as their employees. (And if the C level doesn’t believe it’s an attractive target, encourage them to read up on spear phishing or “whaling.)

Some training is also just poorly designed. Courses don’t have to be drawn-out, black-and-white, bubble-filling multiple-choice tests. Sometimes simple awareness-raising of current security threats is enough. There’s evidence to suggest that micro learning modules are more effective. Courses can be aesthetically pleasing and feature good UX. It’s key to getting employees to engage, in fact.

The right approach requires the right platform

Whatever the reason a client or employee has for being reluctant to adopt security awareness training, there’s a good chance it can be overcome with the right tool. Visit the Webroot® Security Awareness Training page to learn more and to see why the research firm Info-Tech had this to say about Webroot:

“Our SoftwareReviews data shows that Webroot and their customers have a very positive relationship, with 91% of sentiments being positive.”

How to Stop Shadow IT, Manage Access and Ensure Security with Cloud Applications

Today, the average enterprise uses over 2000 cloud applications and services, and we expect this number will continue to grow as more businesses realize the efficiency, flexibility and collaboration benefits these services bring. But the use of cloud-based applications also comes with a few caveats; for example, the apps themselves may pose potential security vulnerabilities, and it’s also hard to prevent employees from using unsanctioned applications outside of the approved list (aka “shadow IT”), meaning critical business data could be floating out there in the ether without proper encryption or access controls.

When implementing these types of solutions, security should be a central concern in the vetting process. Unfortunately, it isn’t.

The State of Security with Cloud Applications

A full 92% of enterprises admit they have a gap between current and planned cloud usage and the maturity of their cloud security program. Meanwhile, 63% of web-borne malware and 15% of phishing attacks are delivered over cloud applications. And although 84% of organizations report using SaaS services at their company, more than 93% of those said they still deal with unsanctioned cloud app usage.

Even though cloud transformation is a strategic focus for many businesses, CISOs and IT teams are often left out of the discussion. That may be because the adoption of cloud services is generally billed as quick and easy with a rapid time to value, while IT security vetting processes don’t typically boast the same reputation. That often means that, for reasons of speed and perception, security may be treated as an afterthought — which is a potentially devastating oversight.

As adoption continues to grow, it’s critical for enterprises and small and medium-sized businesses (SMBs) alike to balance their cloud application use with security and access control; otherwise, the benefits they see may quickly turn into regulatory compliance nightmares, data loss disasters and security breaches.

Bringing Security and Visibility to Your Cloud Transformation

To improve visibility into the cloud applications being used, and to create usage policies and address security risks, many businesses are turning to Cloud Access Security Brokers (CASBs). CASB services are typically placed between the businesses who consume cloud services and providers who offer them, effectively protecting the gateway between a company’s on-premises IT infrastructure and the cloud service provider’s infrastructure. As such, CASBs can provide a central location for policy and governance simultaneously across multiple cloud services — for users and devices — and granular visibility into and control over user activities and sensitive data. They typically help enforce data-centric security policies based on data classification, data discovery and user activity surrounding data.

Faced with a continually growing and changing number of cloud applications and services, it’s critical to have accurate, up-to-date cloud-specific intelligence, not only for CASBs but also other security tool providers who provide support and policy control capabilities around cloud applications.

To better enable CASBs and security device vendors to identify and categorize cloud applications Webroot recently released its newest service: Webroot BrightCloud® Cloud Service Intelligence. This service is designed to offer full visibility, ensure security, enforce compliance, and identify shadow IT through three components: Cloud Application Classification, Cloud Application Function, and Cloud Application Reputation.

By embedding these components into a CASB solution or other security device, partners can identify a given cloud application, classify it by purpose, and control access to it based on the application’s group, name, and the action being performed. Additionally, customers can assess risk and compliance for all cloud applications with a reputation score. Cloud Service Intelligence can also be layered with other BrightCloud® services, such as Web Classification and Web Reputation, for a complete filtering solution that won’t impact product or network bandwidth.

Next Steps

The use of cloud applications is only going to continue to grow. Actionable threat intelligence can provide critical data around which cloud applications are being used within an organization, how they are being used, and what their security reputations may be. Armed with this kind of visibility and security information, enterprises, businesses, and the CASB and security providers who serve them can reduce risk and minimize shadow IT for a stronger overall cyber resilience posture. Learn more about this new service and its applications in our datasheet.

How to Build Successful Security Awareness Training Programs in 2021 and Beyond

Security awareness training is one of the most straightforward ways to improve a business’ overall resilience against cyberattacks. That is, when you get it just right.

Thanks to the disruptions to “normal” work routines that COVID-19 has brought, launching a company-wide training program to teach end users how to avoid phishing scams and online risks is a big challenge. Unfortunately, COVID-19 has also brought a major acceleration in phishing activity. With so many office employees working outside the safety of corporate network protections, you can see why the need for training has never been more critical.

But there’s another issue: training is outside the skillset for most IT admins, and the level of effort to set up and run a program of training courses, compliance accreditations and phishing simulations can be daunting.

To help you get started, here are our top 5 recommendations for starting your security awareness program so you can maximize the impact of your efforts.

  1. Get buy-in from stakeholders.

    While you probably already have some combination of security tools in place, such as endpoint protection, DNS or web filtering, etc., the 2020 Verizon Data Breach Investigations Report states that phishing and social engineering are still the primary tactics used in successful cybersecurity breaches.

    Make sure your stakeholders understand these threats. Send an email introducing the program to management and clearly explain the importance of educating users and measuring and mitigating your risk of exposure to phishing and other social engineering attacks.
  1. Start with a baseline phishing campaign.

    When you run your first phishing campaign, you establish your starting point for measuring and demonstrating improvement over time. (You can also use this real-world data to accurately show the need for improvement to any still-skeptical stakeholders.) Ideally this initial campaign should be sent to all users without any type of forewarning or formal announcement, including members of leadership teams. Make sure to use an option that simply shows a broken link to users who click through, instead of alerting them to the campaign, so you can prevent word-of-mouth between employees from skewing the results.
  1. Set up essential security and compliance training.

    Create training campaigns to cover essential cybersecurity topics including phishing, social engineering, passwords and more. Establish which compliance courses are appropriate (or required) for your organization and which employees need to complete them.
  1. Establish a monthly phishing simulation and training cadence.

    Repetition and relevance are key for a successful security awareness training program. By setting up a regular simulation and training schedule, you can more easily measure progress and keep an eye on any high-risk users who might need extra attention. Using our shorter 4-5-minute modules in between more substantial training is an effective tactic to keep security top of mind while avoiding user fatigue. And if you can’t run phishing simulations monthly, strive for a quarterly cadence. If you get pushback on sending emails to everyone, then we recommend you prioritize testing users who failed the previous round.
  1. Communicate results

    A great way to raise awareness and increase the impact of your phishing campaigns is to share the results across the organization. Keep in mind, the goal is to capitalize on collective engagement and share aggregate results, not to call out individuals. (Your “offenders” will recognize themselves anyway.)

    The critical piece is seeing the statistics on where the organization stands as a whole. After the baseline phishing simulation, send out an email to all employees with the results and the reasoning for the campaign. Communicating these numbers will not only help show improvement over time, it’ll also demonstrate the value of the program overall and reinforce to employees that cyber resilience isn’t just IT’s job – it’s a responsibility we all share.

Although there are numerous other tips and tricks that can help ensure the success of your security awareness training program, these are our top five basic pieces of advice to get you on your way. When you follow these steps, it won’t take long to see the very real returns on your training investment.

For more detailed tips on how you can put Webroot® Security Awareness Training to work to improve your business’ cyber resilience posture, view our white paper.

Remote Work is Here to Stay, and Other Cybersecurity Predictions for 2021

The cybersecurity industry and end-of-year predictions go together like Fall and football or champagne and the New Year. But on the heels of an unprecedented year, where a viral outbreak changed the landscape of the global workforce practically overnight, portending what’s in store for the year ahead is even trickier than usual.  

One thing the cybersecurity experts at Webroot agree on is that work from home is here to stay for 2021, or at least it won’t recede to pre-pandemic levels in even the medium-term. What is likely to change is how companies respond to their remote workforces. The security measures they take (or don’t), the educational opportunities they provide (or fail to) and their commitment to innovation (or lack thereof) will likely separate the winners from the losers in the year ahead.

Yes, cybersecurity for remote workforces will likely be a prevailing concern throughout 2021, even following positive news on the vaccine development front, according to Webroot experts. Another prevailing theme from the professionals here, when asked to make their annual predictions for the new year, is that a cybersecurity skills gap will continue to haunt businesses and pose opportunities for those looking to start their careers in the field or make the switch to it. As such, automation and the adoption of AI technologies will be critical to plugging the gap.

Read on for more details from leading engineers, security analysts and product specialists from around our organization for complete cybersecurity predictions for 2021. Take heart because, whatever happens, 2020 won’t be easily outdone (knock on wood).

On remote workforces and the problem of personal devices

David Dufour, VP of engineering, Carbonite + Webroot

In 2021, many businesses will continue to operate remotely as a result of the pandemic and there must be an emphasis on training employees on security best practices, how to identify modern threats such as phishing, and where company data is being accessed and stored. Phishing is going to remain one of the most prominent ways to attack users and will become more sophisticated as it’s tailored to take advantage of work-from-home setups and distractions.  

Grayson Milbourne, security intelligence director, Carbonite + Webroot

The biggest change for 2021 will be securing remote workforces and remote perimeters, which include home networks and home devices, particularly personal devices. These all add their own challenges. Home networks and their configurations are diverse. Many use out-of-date routers with insecure settings. Personal devices are often used for work and, as we saw in our 2020 Threat Report, are twice as likely as business devices to encounter infections. If not addressed, this could have a serious impact on businesses in the coming year.

Hal Lonas, CTO and SVP of SMB engineering, Carbonite + Webroot

We shouldn’t overlook the incredible societal and behavioral changes underway right now. These put all of us in new situations we’ve never encountered before. These new contexts create new opportunities for social engineering attacks like phishing and scare tactics to get us to open emails and click on fraudulent links.

Tyler Moffitt, Sr. security analyst, Carbonite + Webroot

It really doesn’t matter the company or the length of the work-from-home stint, one thing that’s constant is that professionals at home are using their personal devices and personal network. Securing the remote perimeter is going to be the biggest challenge for cybersecurity professionals now through 2021 because laptops issued to professional workforce are much more secure than personal devices.

Personal devices are twice as likely to be infected than business devices. Even more worrying, we saw with our new COVID-19 report that one-third of Americans will use personal devices when working from home. Businesses will need to account for that.

Jamie Zajac, VP of product management, Carbonite + Webroot

I predict that in 2021 vulnerable industries like hospitality, travel and retail will start to use even more remote access platforms like Square and others. This transfers a lot of control to a third-party, so it’s essential companies make sure their data is protected on their end, that their vendors are trustworthy and that their reputation is safe from the damage an internal breach could cause

On the cybersecurity skills shortage

Briana Butler, engineering services manager, Carbonite + Webroot

Moving forward, cybersecurity professionals will need greater data analysis skills to be able to look at large sets of data and synthesize the information so organizations can derive actionable value from it. In 2021, organizations need to start implementing programs to upskill their current cybersecurity workforce to focus on the skills they’ll need for the future such as analyzing complex data, developing algorithms, and understanding machine learning techniques.

David Dufour, VP of engineering, Carbonite + Webroot

The cyber skills gap will continue to be an issue in 2021 because companies continue to believe they understand cybersecurity and, as a result, tend to spend less on external cybersecurity resources. This leads to a feeling of false security and, unfortunately, inadequate security.

Cybersecurity requires a financial investment to truly meet an organizations’ needs and to enact processes for securing systems. It’s much more effective to invest in a few, solid security processes and to address gaps at the outset than it is to implement an inexpensive, broad security solution that falls short in key areas.

Hal Lonas, CTO and SVP of SMB engineering, Carbonite + Webroot

The pandemic has also changed the game for managed service providers (MSPs). They’re used to running a thin-margin business, but this has become even more difficult as their small business customers struggle. MSPs are fortunately heavily automated, but now they are under increasing pressure to deliver more with less. MSPs more than ever need automated solutions that make it easy for them to manage, secure and restore customers when incidents do occur. Some of that automation will come from AI, but auto-remediation, backup and restore capabilities are also important.

Looking ahead to 2021

Whatever 2021 is, at least 2020 will be over, right? But in all seriousness, the virus does not respect our calendar transitions and its implications will certainly bleed over into the New Year. Much has been made of a supposed “new normal,” but to truly arrive there, companies must account for the new realities of pervasive remote work and an exacerbated cybersecurity skills shortage.

If there’s one takeaway from our experts’ predictions for 2021, it’s that.

Staying a Step Ahead of the Hack

Hackers, never at a loss for creative deception, have engineered new tactics for exploiting the weakest links in the cybersecurity chain: ourselves! Social engineering and business email compromise (BEC) are two related cyberattack vectors that rely on human error to bypass the technology defenses businesses deploy to deter malware.

Social Engineering

Social Engineering is when hackers impersonate trusted associates or acquaintances to manipulate people into giving up their passwords, banking information, date of birth or anything else that could be used for identity theft. As it turns out, it’s easier to hack our trust than our computers. Social engineering covers a range of tactics:

  • Email from a friend or family member – A hacker gets access to the email password of someone you know. From there, they can send you a malicious link in an email that you’re more likely to click on because it came from someone you trust.
  • Compelling story (pretexting) – This includes urgently asking for help. This can read like, “Your friend is in danger and they need your help immediately – please send me money right away so they can get treatment!”
  • Standard phishing tactics – Phishing techniques include website spoofing emails appearing to come from an official source asking you to reset your password or confirm personal data. After clicking the link and entering the info, your security is compromised.
  • “You’re a winner” notifications ­– Whether a lottery prize or a free trip to Cancun, this tactic catches many off guard. It’s known as “greed phishing” and it takes advantage our fondness for pleasure or weakness for the word “free.”

Business Email Compromise

Business email compromise is a targeted attack against corporate personnel, usually someone with the authority to request or fulfill a financial transaction. Victims execute seemingly routine wire transfers to criminals impersonating legitimate business associates or vendors.

This form of fraud relies on a contrived pretext to request a payment or purchase be made on the attacker’s behalf. According to the FBI, BEC attacks resulted in more than $26 billion (you read that right) between June 2016 and July 2019. Here are a few tips for protecting users and businesses from BEC attacks:

Slow down – BEC attacks combine context and familiarity (an email from your boss) with a sense of urgency (I need this done now!). This causes victims to lose their critical thinking capabilities.

Don’t trust, verify – Never use the same channel, in this case email, to verify the identity of the requester. Pick up the phone and call, or use video chat.

Prepare for the inevitable – Use all the technology at your disposal to ensure a BEC attack doesn’t succeed. Machine learning-enabled endpoint security solutions can help identify malicious sites.

Address the weakest link – Train users to spot BEC attacks. Webroot testing shows that phishing simulations can improve users’ abilities to spot attacks.

Perfecting Your Posture

Webroot Security Intelligence Director, Grayson Milbourne, offers several suggestions that companies can do to increase their security posture. First, he says, “Whenever money is going to be sent somewhere, you should have a two-factor verification process to ensure you’re sending the money to the right person and the right accounts.”

Milbourne is also a big advocate of security awareness training. “You can really understand the security topology of your business with respect to your users’ risk factors,” he says. “So, the engineering team might score one way and the IT department might score another way. This gives you better visibility into which groups within your company are more susceptible to clicking on links in emails that they shouldn’t be clicking.”

With the increase in scams related to the global COVID-19 pandemic, timely and relevant user education is especially critical. “COVID obviously has been a hot topic so far this year, and in the last quarter we added close to 20 new templates from different COVID-related scams we see out in the wild,” Milbourne says.

“When we look at first-time deployment of security awareness training, north of 40% of people are clicking on links,” Milbourne says. “Then, after going through security awareness training a couple of times, we see that number dip below 10%.”

Where to learn more

Our newest research on phishing attacks and user (over)confidence, “COVID-19 Clicks: How Phishing Capitalized on a Global Crisis” is out now, check it out!

Why Workers Aren’t Confident in their Companies’ Security (and What to Do About it)

According to data from a recent report, only 60% of office workers worldwide believe their company is resilient against cyberattacks. Nearly one in four (23%) admit to not knowing, while nearly one in five (18%) flat-out think it isn’t.

In the anonymous, write-in responses to the survey, many workers agreed that their employers could be doing more to support them and ensure their security. When asked to elaborate on why they didn’t believe their company was resilient against attacks, the most-repeated answers were along the following lines:

  • My company has been hacked before.
  • My company doesn’t prioritize security/security spend.
  • My company’s equipment and software are poorly maintained.
  • My company outsources its security, so we have no direct control.
  • I still get phishing emails. Our filtering must not be good enough.

These types of responses highlight two things: a general lack of faith in the company’s security and the perception that companies aren’t investing enough in security systems OR their employees. When considered alongside another question from the survey, there seems to be a third factor at play: there is also confusion as to who should be responsible for a company’s cyber resilience in the first place.

Overall, only 14% of office workers worldwide consider cyber resilience to be a responsibility all employees share. If workers also feel their companies don’t invest enough in them or the tools that protect them, it makes sense that they might not feel like cyber resilience is something they should worry about. If a person feels their employer doesn’t value them appropriately or empower them with the right tools to do their jobs, then the notion of having to expend one’s own time and energy on the company’s security could rankle. So how do you overcome the challenge of personal investment?

How to empower your people and your security

Investment

Dr. Prashanth Rajivan, cybersecurity and human behavior expert, says businesses that want to foster a feeling of personal investment must first tackle the notion of shared responsibility. He explains that, when people perceive themselves to have a greater responsibility to others, their average level of willingness to engage in risky behavior decreases.

“If you’re asking individuals to make changes to their own behavior for the greater safety of all, then you need to make it clear that you are willing to invest in them. By creating a feeling of personal investment in the individuals who make up a company, you encourage the employees to return that feeling of investment toward their workplace. That’s a huge part of ensuring that cybersecurity is part of the culture.” – Prashanth Rajivan, Ph.D.

One way to both empower your workforce to become a strong first line of defense while also demonstrating investment is by implementing a security awareness training program with phishing simulations, as well as giving employees enough time to carefully and thoughtfully complete the learning exercises and understand any applicable feedback.

Consistency

According to Phil Karcher, principal product manager in charge of Webroot® Security Awareness Training, running regular, up-to-date training on an ongoing basis is one of the best ways to help end users avoid attacks and become a strong first line of defense for the company as a whole.

“Data from Webroot® Security Awareness Training shows that, if you want people to make lasting changes to their behavior, you have to run consistent, relevant training courses and phishing simulations that are also varied enough that people won’t get bored or find them predictable. Running a second simulation makes a dramatic impact — and it only gets better from there.”

– Philipp Karcher, principal product manager, Carbonite + Webroot, OpenText Companies
Number of Phishing SimulationsClick-through Rate
111%
2-38%
4-106%
11-145%
15-174%

Feedback

Dr. Rajivan also reminds us that human behavior is shaped by experience and reinforcement. He and Phil agree that consistency is key for empowering your workforce to become more resilient. But Dr. Rajivan also stresses the importance of feedback over consequences.

“Without appropriate feedback, no amount of training will be effective. And because the average person handles uncertainty poorly, training must include a variety of different scenarios. Human behavior is shaped through varied experiences, with a mix of positive and negative outcomes and applicable feedback.

This feedback and incentive structure needs to be carefully calibrated. Too much could lead to heightened anxiety and false alarms, but too little could lead to underweighted risk, i.e. people knowing the correct actions, but not taking them.”

– Prashanth Rajivan, Ph.D.

Next steps

As phishing attacks continue to be a primary way that businesses get breached, the need for consistent end user education is clear. And by implementing a regular training regimen, you can demonstrate care and investment in your people, educate employees on scams, risks and what to do if the unthinkable happens, and successfully build cyber resilience into your overall company culture.

To take the first step towards cyber resilience and trial an engaging Security Awareness Training program, Take a Free Trial.