CIOReview
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
| | December 20189CIOReviewFor example, passwords harvested via spear-phishing might be leveraged to cut off power to a hospital and disable its backup generator. Patients on life support or undergoing major surgery would quickly die without electricity. On a very hot day, merely disabling a hospital's HVAC system could be enough to kill some patients.If this sounds like Hollywood fiction, consider Stuxnet, the computer worm used between 2007-2010 to cripple Iran's nuclear program. Its discovery proved that major powers can and do conduct remote, computer-enabled sabotage. Russia, China, and others certainly have the means, even if they don't currently have a motive, to murder Americans via the internet. Social engineering can easily provide the third ingredient: opportunity. Fortunately, it is possible to mitigate such threats by hardening Americans against social engineering. Organizations that have a strong information security culture are far less vulnerable to phishing and similar deceptions. Security-awareness training is a key ingredient in building such a culture, and it has become one of the fastest-growing areas of IT security spending. Many small and mid-sized organizations still don't offer any such training to their members. Large organizations are more likely to have a formal security-awareness training program. Among organizations that do offer training, many view it as a compliance issue. This is not surprising, given that laws and standards like HIPAA and PCI-DSS require it. However, organizations that mandate training merely to check a box on their audit form are missing the point. Annual training doesn't stop social-engineering attacks. Vigilant, skilled, and well-practiced people do. Employees need detailed knowledge of deception techniques to reliably resist social engineering attacksAnyone who has sat through a canned security-awareness video can define phishing, but there's a huge gap between knowing what phishing is and being able to resist a clever spear-phish. There are three things that even organizations with formal training programs often fail to do:1) Foster a culture of vigilance. If the threat is imaginary, we call constant fear paranoia. If the threat is real, we call it healthy vigilance. With executives setting the tone, and the help of key influencers, vigilance can go viral. 2) Build practical expertise. In the interest of brevity, trainers often give superficial treatment to complex topics like social engineering. Shallow content is fine for generating awareness, but employees need detailed knowledge of deception techniques to reliably resist social engineering attacks. Deconstructed, real-world phishing examples are powerful learning aids. Depth matters.3) Drill the skill. Even people who know better can still fall for phishing if they are busy or distracted. In the heat of the moment, thinking twice is too slow. We must develop employees' ability to recognize threats without thinking. Checking for red flags in an email before opening the attachment must become as natural and automatic as fastening your seatbelt before starting the car. This kind of muscle memory is built only through constant repetition. Frequent attack simulations are key.In the past, deception and disinformation were espionage tools. Now they can be primary weapons of war. Ordinary citizens, instead of trained soldiers, are the first line of defense. Right now, our citizens are ill-equipped to hold the line. All CIOs, especially those of us responsible for our nation's critical infrastructure, need to step up and commit to patching America's biggest vulnerability: ourselves.
< Page 8 | Page 10 >