Fun fact: according to a 2017 report from DataTribe and Allegis Capital, the labor pool of cybersecurity engineers and analysts in the Washington, D.C. region is 3.5 times bigger than the rest of the U.S. combined.
While much of that talent is currently working for the U.S. federal government, agencies, military and contractors, there is a growing entrepreneurial ecosystem that is well-suited to support those entities in their ever-present battle with cyber threats.
That’s where my story in Loudoun County begins. My name is Chris Friberg, and I am your one-stop shop for starting or growing a cyber company in Virginia’s fastest-growing county.
After a long career in software solution sales, I joined Loudoun Economic Development in April 2020 to help develop our local cybersecurity industry. I’ve called Ashburn home for more than 24 years, so I’m excited to be part of the dedicated team here who is doing excellent work to turn cyber startups into #LoudounPossible success stories.
With my job change, I wanted to round out my many years of on-the-job training and get some structured education in cybersecurity, so I recently completed a 12-week certificate in Cybersecurity for Business Leaders from the University of Virginia (great faculty and curriculum–highly recommended, even by this Hokie).
This certificate course packed a lot of topics into 12 weeks, but I was especially interested in our week seven topic: Building Organizational Resilience. The general concept here is that the bad guys are attacking the whole of an organization, so it’s critical that the whole organization—not just the IT department—be aware of, and resistant to, the attackers’ tactics and techniques.
While the bad guys are certainly looking for direct vulnerabilities in an organization’s internet-facing systems, the predominant attack vector today is through the human element of an organization. Bad actors would rather log in using stolen credentials than hack in because hacking risks setting off all kinds of alarms. This usually means that the threat actors try to systematically exploit weak passwords and/or employ social engineering schemes to get users to inadvertently reveal their login credentials.
One of the most common social engineering attack techniques is phishing, the practice of sending malicious emails that request that urgent action be taken, and which masquerade as being from a source that is known to and trusted by the recipient. The goal is to get the unsuspecting end-user to either (a) click on an embedded link or executable that downloads malware to their desktop/phone, or (b) click on a spoofed link that then asks for (and steals) the user’s login credentials. Spear phishing is a more refined form of phishing, where the email is targeted to fool a specific individual by referencing open-source intel about the individual’s family, friends, management chain, etc.
Fortunately, commercial software packages are available to inspect and intercept incoming phishing emails (and other malware) before they reach the end user’s inbox. Even the best software solution, however, cannot catch every inbound phishing email, so training on how to identify (and quarantine) phishing emails is part of most organizations’ annual end-user training program. Despite software defenses and user training, however, phishing attacks are often successful. In fact, Deloitte estimates that 91% of all cybersecurity attacks start with a phishing email. How can we fight this?
To answer this question, our certificate cohort learned from some original research done a consortium led by PWC, along with UVA’s McIntire Center for Management of Information Technology (CMIT). This NSF-funded research project was called The Human Firewall. As the name would imply, the Human Firewall aims to develop better human resistance to attacks, while also building on traditional IT controls. Per CMIT, the Human Firewall Project is examining new ways to:
- develop cyber training;
- produce the right interventions at the right time using machine learning;
- develop an understanding of how the IT security department should be integrated into the organization.
The project develops a full-stack approach to include the human layer, the application layer, and the network layer, but the human layer research was the most intriguing to me:
The Human Layer
- IT Mindfulness – The group’s research shows that adding mindfulness training to your end-user curriculum can help users break their rote habit of clicking on any underlined link they see, by introducing a “cognitive intervention” step (a.k.a. Stop. Think. Act). This simple practice of paying closer attention to the present moment can reduce susceptibility by 38% when added to traditional anti-phishing training.
- Power-Users – The team found value in identifying power-users who can function as a bridge between their functional areas and IT. This bridge improves communication between end-users and the IT department and increases overall organizational effectiveness and resilience.
- Team Level Resilience to Cybersecurity Attacks – Team structure can play a role in how well end users react to phishing emails. Users who are socially isolated outside of a team tend to be more susceptible to phishing compared to individuals who interact regularly with teammates. Managers should proactively ensure that everyone engages feels connected, especially in this age of remote workforces.
- Gamification of Security – Having your own IT department (or a contracted third party) send “unarmed” phishing emails to test end-user response can be an effective way to evaluate your anti-phishing plan. Loudoun’s own Cofense has become an industry leader in this service solution. The goal is to recognize and reward the best performers in an organization based on how infrequently they are duped. Researchers found that the opposite technique, shaming poor performers, had a negative effect on organizational morale and fostered distrust between IT and the user community.
To summarize, building organizational resilience to resist phishing and other social engineering attacks is based on basic business processes, behavioral training, collective reinforcement, and organizational design. As with most things in today’s digital age, it’s about people, process, and technology—in that order.
What Is Your Cybersecurity Team Working On?
Now that you know a little bit more about me, help me to understand more about you and how your organization does end-user training or develops organizational resiliency in a novel or especially effective way.
I’d like to invite you to be part of the cybersecurity community we’re building here in Loudoun County by joining our Meetup group of nearly 200 members: Loudoun County Cybersecurity Professionals.
Our next meeting is on May 4, 2021, at 4 p.m.
Meeting virtually at first, then in-person as soon as it’s safe, we’re talking about best practices, education, partnerships, workforce issues, and ways that Loudoun high-tech companies can team to win more business and be more effective in keeping us all safe. Hope to see you soon!