Increasing threats from social engineering attacks demand a strengthening of the ‘people perimeter’, writes Peter Carthew, director UK public sector at Proofpoint
People have become the perimeter for any organisation when it comes to cyber security.
This has become clear in how the Covid-19 pandemic has affected the threat landscape, with attackers focusing on social engineering – manipulating individuals into actions or giving away confidential data – to find a way into organisations’ internal systems, cloud services and collaboration tools.
Over the early months of the pandemic cyber security company Proofpoint has seen threats in more than 400,000 messages, 300,000 URLs and 200,000 attachments related to Covid-19, and that only a tiny number of threats has come from attacks on technical vulnerabilities.
This has placed people at the security perimeter, largely through their responses to emails and placing organisations’ data and operations at risk from malicious actors.
The company advocates responding to this through a people-centric blueprint for cyber security involving three layers with email at the centre.
First is to protect the threat vector through detection and response, information protection, compliance and fraud defence. Second is to protect people through activities such as threat simulation, awareness training, compliance training and risk analytics.
Third is to protect what people access through strategies and technical tools such as Proofpoint’s Cloud App Security Broker to protect against threats in the cloud, the Enterprise Data Loss Prevention solution for information protection, Browser Isolation and the Zero Trust Network Access VPN alternative, and the Insider Threat Management solution.
It all has to be underpinned by the people-centricity, aimed at changing behaviour and reducing the risk exposure of an organisation.
The University of Surrey has adopted the blueprint and launched a two-pronged programme to strengthen the ‘people perimeter’. Nigel Gildea, security consultant for the university, points to three drivers.
“We’re seeing a significant uptick in the way hackers are targeting staff and students, and they seem to be using Covid as a weapon,” he says. “This is very challenging because we are also trying to send out Covid messages to staff and students.”
He adds: “Hackers are lazy individuals, could spend a lot of time trying to hack technical infrastructure, but are not going to do that if they can send a text message or email to one of our students to steal their credentials.”
Second is a trend that has involved different types of attacks targeted at education institutions through social engineering, largely phishing emails, that direct users towards malicious software.
“We can look at technical solutions to try to mitigate against these types of attack, but the reality is that we need defence in depth, and as part of that we are very dependent on our students and employees to identify phishing campaigns.”
The third driver has been more proactive, in response to the creation of standards by the National Centre for Cyber Security (NCSC) for universities to qualify as an Academic Centre of Excellence for Cyber Security Education. The University of Surrey has achieved this and is now aiming to also qualify as an Academic Centre of Excellence for Cyber Security Education.
In doing so it has partnered with Proofpoint to reduce its vulnerabilities and show it can meet the standards for education in the field.
This all led to the development of the programme, the first phase of which is alignment to Cyber Security Awareness Month, a European initiative for the creation of campaigns to raise awareness and reinforce good practice among staff.
“We’re trying to come at students and staff from all angles,” Gildea says. “Firstly we’ve integrated the Proofpoint learning management system and have defined the ‘101’ messages.” These are associated with phishing, navigating the vulnerabilities on the internet, password management, how to identify malware, and instant response.
The Proofpoint system has been interfaced with the university’s Active Directory, which provides single sign-on and university branding to reduce any confusion when users are accessing the system.
The university has also produced blogs and news articles, drawing on Proofpoint media resources, and an interview with its chief information security officer, and has plans for a Twitter campaign and to use digital signage around its premises to post education messages.
Phase two is still in planning but will involve measuring the security capability of staff and students through online testing and phishing campaigns, along with defining training roles on subjects such as vulnerabilities, compliance and more advanced requirements, which can be developed as the programme progresses.
“We are also looking to measure the cyber strength of these roles,” Gildea says. “Proofpoint has an interactive quiz that we send out to staff and students, which should give us an understanding of vulnerabilities in terms of lack of knowledge, skills and expertise. This can help us look at strength improvement training.”
This will be followed by sending out emails from within the Proofpoint system to remind people to complete their training, then a series of phishing exercises to measure vulnerabilities and look again at requirements. Depending on how staff and students respond to the phishing they can be auto-enrolled onto new rounds of training.
This is based on the people-centric blueprint, enabling people to protect themselves while identifying those who are most frequently attacked, alerting everybody to threats and educating them on self-protection.
It also reflects a people-centric approach to risk reduction, with a circle of identifying risk, changing behaviour and reducing exposure. The final step involves knowledgeable end users reporting potential threats, which then feeds into a new round of identifying risk.
This is already strengthening the cyber defences of the University of Surrey and can do so for organisations in all parts of the public sector.
To get started with cybersecurity awareness training click here