In this article, , senior consultant for Phish’d at MWR InfoSecurity, examines the issues. We hope readers find this interesting and invite responses.

One thing is pretty certain when it comes to information security: the easiest targets for cyber attackers seeking a way in to an organisation is employees. Almost daily, breaches are carried out by well-funded and resourced attackers and this is raising the profile of cyber security to such an extent that headlines of these compromises have become mainstream. Recurrently, reports are released showing the skill and persistence of attackers in the form of advanced attacks such as spear phishing, watering holes booby-trapped with custom malware and zero-day exploits. All of these attacks have one thing in common - they target individuals; and that means employees.

Yet, for the most part, we still see that the majority of organisations rely largely on traditional security controls in the form of technology such as AV, firewalls, SIEM etc to protect their critical assets. However, the increasing importance of employee security awareness is often overlooked.  Instead, only basic awareness training is given, focusing available resources on deploying and testing traditional security controls.

It is disturbing that people and process are frequently disregarded when it comes to improving security posture, when so much hacker effort goes into targeting employees. The reason for this is partly because the security risk individuals pose to an organisation is difficult to measure and track. This is a crucial issue with cyber security and has been for many years. Those organisations that take a traditional risk-based approach to security will struggle to get buy-in from senior management to address a risk that they haven't been able to quantify, or even prove exists in many cases.

The problem is that attackers are looking away from penetrating hardened external infrastructure and technology to the much weaker area of employees. This is for the simple reason that an organisation that already recognises the need for technology and security solutions will bolster their perimeter security to the point where an attacker's easiest way in is to target its employees.

At this stage, not improving the security of personnel and processes will almost entirely undermine the investment in most technology-based solutions as an attacker can just step over these controls.

With so much information regarding an organisation's employees available online, the most common way to exploit them is by using a phishing email that targets the user and entices them to click on a link or attachment. These can be anything from promises of deals or offers to emails that purport to be invoices or banking statements.  Phishing assessments against employees have shown that as many as 60 per cent to 90 per cent of employees are susceptible to these attacks - effectively allowing an attacker to jump right over the traditional security controls so many organisations are still heavily investing in and relying on.

To combat this, practical employee security awareness training needs to take place frequently in addition to the traditional awareness training most organisations already use. Managed phishing assessments, for example, act as a “cyber fire-drill” for employees, regularly exposing them to various realistic attacks, but in a controlled environment. It isn't unusual in these types of exercises for organisations to have 80 per cent susceptibility during the first assessment, but see a reduction to less than 10 per cent after the second or third assessment. Most organisations don't see anywhere near that reduction in susceptibility from the traditional training they currently use.

 Another very important aspect that is often overlooked is the processes in place (or lack of) once an employee either clicks on a link that might be bad or opens a malicious attachment. One of the interesting parts of these engagements is monitoring what users do when they do actually detect an attack, because often the correct process to follow isn't known. When employees fail to report attacks to the correct business department, it results in a greater exposure than an organisation would have otherwise had. As part of the training process, employees should be made aware of who in the IT or security team to notify when they think they may have inadvertently clicked or opened an attachment they shouldn't have.

Exposing employees to controlled attacks regularly not only teaches them how to spot them, but also hammers home the security process to follow - dramatically reducing the organisation's exposure to attack.

Five security pointers to help keep your organisation safe from cyber attackers:

-- Do not rely solely on security technology;

-- Teach employees to think before they click; not all security technology will stop these malicious emails getting through, therefore they must be vigilant;

-- Show employees how to identify bogus emails and not click an un-trusted attachment or link;

-- Carry out regular phishing assessments;

-- Train staff in the proper process to report phishing emails and who to notify in case they clicked purposely or by error; ideally to be carried out within 15 minutes.

When it comes to cyber security, there tends to be a greater emphasis on the latest technology that is constantly evolving and requires updating. Amongst all the technology innovation, important areas that too often receive very little consideration are the people and processes that are imperative to every organisation.

Disregarding these crucial elements can prove dangerous in terms of increasing security threats, because when you take away that technology element, all that is left is to target people.