Phishing is the biggest cause of data breaches, according to multiple sources including Verizon’s 2017 Data Breach Investigations Report (DBIR). These attacks target users rather than network infrastructure, so technology can only go so far to defend an organisation from being breached. To put this into context, 46,000 phishing sites are created daily with the majority only being online and active for 4 to 8 hours – these sites have been created this way specifically to avoid detection, so black lists are largely ineffective in this scenario. Attacks that target users are evolving daily, with the development of spear phishing attacks being particularly troubling – these attacks acquire personal details on a victim so as to better target them and trick them into giving away sensitive information such as account credentials or personal information. Ultimately, if technology isn’t able to stop an attack and it gets through to a user, it is down to the user to identify the attack and not fall for the phish, thus saving the organisation from a potential breach.
Ivanti developed its security team, headed up by Phil Richards, the organisation’s CISO (Chief Security Officer), four years ago. Phil is a highly acclaimed CISO, having worked in Security and IT roles for over twenty years and having recently been awarded Computing Security’s Contribution to Cyber Security Award. His team is made up of incredibly skilled security engineers who handle all aspects of security, from updates and patching, to discovering vulnerabilities, to securing endpoints, to educating users on good cyber secure behaviour. The latter being particularly important in regards to protecting the company against inbound attacks that target users. The team are based at Ivanti’s HQ in Salt Lake City, Utah, as well as in numerous locations around the EMEA region.
Ivanti’s cyber security and awareness program is continuous, and employees are made aware of the importance of their behaviour and educated on any gaps in their knowledge throughout the course of their career at the company, from onboarding to offboarding. When joining the company, cyber security training is part of the HR onboarding process. End users are tested to identify their initial knowledge, and then receive some critical baseline training via a PowerPoint presentation which covers the organisation’s cyber security code of conduct (i.e. users aren’t allowed to bit torrent using company devices due to the security risks and possible illegality of the process). Users are also critically taught what legitimate company emails look like. Then, throughout the course of their time at the company, employees partake in mandatory cyber security training and awareness modules which educate them on the cutting edge elements of staying safe online: from doing everything they can to protect Personally Identifiable Information (PII) to learning how to use VPNs, and why this is important. Users who achieve 100% on a training module receive a certificate which goes into their permanent records. This training is available and mandatory for everyone: from part timers to the C-Suite. Users are also allowed to share the training modules with their families so that people working from home are less likely to compromise company data due to risky behaviour on the part of a family member – as well as this, the sharing of this knowledge means that the next generation (at least those with Ivanti employees as parents) will grow up with a higher degree of cyber security knowledge and awareness.
As well as training employees, the Security team also assesses the awareness of employees with so-called mock phishing attacks. This service allows the Security team to send out almost fully customisable fake phishing emails. Emails with relevance tend to work the best – for example DHL emails (spoofed as FHL) around Christmas time. If users report the mock phish to the Security team, they are entered into a draw for a prize (usually something like a cash reward of $100 or equivalent) – if they fall for the mock phish by clicking on a link or opening a file in the email, they receive a ‘teachable moment’. This means that they are called out for their incorrect behaviour and are automatically put down for some relevant training. Ivanti favours the “carrot” over the “stick”, meaning that they prefer to reward end users for good behaviour rather than punish users for bad behaviour – the Security team argues that this is because they don’t want employees to be so worried about being punished that they delete all of their emails. Rather, they have created a culture of trust and security where users aren’t afraid to report if they think they’ve made a mistake.
The first time the Security team mock phished their end users, around 30% of people fell for the fake email – around 2000 people work at Ivanti, so this was quite a large number. This further highlighted the need for internal cyber security training and awareness. Since introducing training, click rates have dropped to an impressive 6-7%, which is particularly positive seeing as the Security team have been working to increase the difficulty levels of the emails over time. They follow a process whereby they identify problem areas and then exacerbate these in the mock phish that is put out the following month to determine if training has been successful, or if any users require additional training on a topic. As well as this, different departments require different types or levels of mock phishes and education, for example the highly technical developer team are sent more advanced fake emails, and the C-Suite are sent incredibly targeted spear phishing attacks. Having bespoke training and testing in place means that the company is very well prepared for any attacks that may infiltrate – both in terms of the technology in place (developed by Ivanti) and end users acting as a last line of defence against attacks.
Ivanti have also extended this culture of security wider than their internal community out to their customers and the public. They’ve done this by setting up a yearly customer event (Interchange) which happens all over the world to educate customers and potential customers about what’s new and important in cyber security and IT. This includes large keynote presentations, smaller seminars and even one-on-one training sessions. Phil, the CISO, also regularly develops blogs for the Ivanti website on cyber security – these are then promoted on social media, and anyone can access them for cutting edge cyber security knowledge. The team also attend a host of industry events such as RSA and InfoSecurity to spread their knowledge to the wider cyber security community.
At this stage, the team have been running the training scheme for around a year and a half and aside from the incredibly impressive statistics highlighted above, they’ve also been receiving very positive feedback. The education process fits in well with Ivanti’s wider outlook to security which promotes a layered approach, i.e. automated patching, application whitelisting, limiting admin privileges and, of course, educating employees.