Transportation ranks among the top 10 industries that suffer data breaches. As you can imagine, that is of extraordinary concern and focus at Werner Enterprises, one of North America’s largest transportation and logistics companies. At Werner EDGE — the innovation arm that I lead — our responsibility is to keep goods moving through sophisticated and secure networks, including an approach to cyber security that must extend to protecting our large workforce.
To that end, we must stay vigilant about our approach to phishing — the root cause of most breaches. In fact, the “human element” is still a factor in 3 out of 4 breaches, despite enterprises increasing cyber security training. With a single click on a malicious link, an employee could jeopardize an entire company — the FBI says (for example) that business email compromise has cost more than $50 billion to date. Bad actors are using increasingly sophisticated methods to infiltrate businesses, and AI is helping them accelerate the speed and scope of their attacks.
In other words: the phishing problem isn’t going away. No matter how strong your network architecture and security are, there will always be a weak link, and it’s often a single individual. A momentary lapse can spell disaster for the entire organization. Therefore, it’s become increasingly clear that we need to collectively adjust our security awareness training to shore up that line of (human) defense.
At the personal level, cyber security is about adopting a few simple habits. Just like learning to look both ways when crossing the street, it needs to become second nature to thoroughly read an email and check email addresses before responding or clicking on a link. At Werner, we typically run seven or eight security training sessions a year, including a mandatory annual training session that lasts 45–60 minutes. It’s relatively simple, straightforward, and covers the basics. We also run quarterly refreshers and ad hoc training that is 5-7 minutes long to keep everyone up to date, especially when new threats emerge. These are also mandatory.
Year-round security training is a best practice for several reasons:
From a compliance perspective, ongoing training is required by insurers.
The threat landscape is ever-changing. Bad actors are constantly finding new ways to slip past even the most vigilant users, and staff need to know the latest tactics to look out for.
It’s human nature that people tend to lower their guard over time. Training serves as a reminder to take phishing and other threats seriously.
While we incorporated a lot of best practices into our training practice, we’ve also identified some things that don’t work well.
The least successful strategy was remedial training. When an employee clicks on a known phishing link, we can block outbound communications and identify who responded to the offending content. We then give the person who fell for the scam a quick refresher on what not to do.
But, we’ve noticed that within a matter of weeks, the same person would fall for another phishing attempt. I estimate nearly 70% of those who received remedial training still failed phishing simulation tests later.
Talking to the repeat offenders gave me a new perspective: some people felt they were being punished with the extra training; for others, the training made them more nervous about doing the basic tasks required for their jobs, such as reading emails or even opening Word documents.
While ongoing awareness training is a critical way to stay ahead of the scammers, I’ve also come to the conclusion that punitive measures aren’t as successful. Anyone in charge of cyber security needs to find engaging ways to incentivize employees to pay attention to their actions — while respecting their time.
You need a carrot, not a stick, to get the best response.
Gamifying security training is one way to create positive reinforcement and reward people for good behavior, like reporting suspicious communications. For example, incentives like leaderboards, cash rewards, gift cards, or company swag, can offer tangible reasons for busy colleagues to want to do better on training and to know more about evolving phishing threats.
Improving training is only one side of the coin. Someone will let their guard down eventually and organizations have to be ready to continually strengthen their cyber security posture.
Human error and inattention are two of the biggest threats to a company’s security. It’s impossible to eliminate these threats entirely, but technology can be leveraged as a safety net to minimize what gets through.
Starting with a Zero Trust approach, companies can also leverage preventive tools like multi-factor identification (MFA) and preemptive email security (which might include optical character recognition to scan images) to relieve the burden on IT and Security.
It’s also important to have endpoint security tools to automate the isolation and removal of a compromised device from your network. Just as scammers leverage AI for their attacks, the business community must respond by applying AI to identify and respond to security breaches much faster. Any business that can harness these technologies improves its odds of preventing a breach.
Cyber security is very much about covering all the bases. Werner runs penetration tests at regular intervals, including a red team test, where we hire ethical hackers to try to attempt an attack on the network from the outside. This practice helps locate vulnerabilities.
Our red teams also test physical security. They walk around parking lots and check for unlocked cars with laptops, backpacks, or documents in the back seat. They get into buildings by following people who swipe magnetic cards or scan badges to enter. They check for unlocked and unattended laptops and smartphones and see if it’s possible to steal files from those devices. Sharing the results of these tests can be a great wake-up call for employees who might feel far removed from cyber security concerns.
Every IT leader recognizes the financial, operational, and reputational costs of a breach, and knows that they can’t skimp on security technology. The challenge is making sure everyone else in the organization is equally vigilant against threats.
I’m all about action, urgency, and keeping things simple. Businesses have to keep pace with IT innovation to stay competitive, but we can’t move so fast that we forget to attend to the security basics. Optimizing every aspect of operations, systems, and infrastructure will not only reduce human error, but it will reduce capital and operational expenses, making it possible to allocate more funds and resources to cyber security—which should be as robust as your budget will allow.
Phishing costs businesses millions of dollars and can disrupt production, interrupt services, alienate customers, and drive companies out of business. If an organization tries to ‘save money’ on cyber security, or reduce employee training, they put everything at risk. Instead, make security integral to your operations and culture, giving your people and business a fighting chance when bad actors attack. The health and safety of our companies demand it.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Daragh Mahon — @daraghmahon
EVP and CIO, Werner Enterprises
After reading this article you will be able to understand:
Operations and culture are integral to security
How to balance training, penetration testing, and solutions to stay ahead of attacks