Pub. 5 2016 Issue 6

August 2016 11 l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s mock up an email reportedly from an acquaintance to fool us into believing it to be genuine.” One of the particularly maddening things fraudsters exploit is the fact that banks sell trust, and your employees are good, friendly, trusting people by nature of your helping profession. Of course, social engineering is defined as the clever manipulation of the natural human tendency to trust. However, after two decades of ever-evolving phishing emails—from the early emails from Nigerians desperate for your assistance and willing to pay exceedingly handsomely for it to the latest, hard-to-discern-from-genuine malicious link or attachment-laden versions—one might assume employees would now recognize these schemes (for their own sake, if not for the bank’s). But, Welch goes on to say, “It seems people cannot stop themselves clicking on links they receive in emails without even the most cursory check on whether it is a valid link or not. It is an easy step often overlooked that you hover your mouse over the link and see what web address it is trying to send you to.” 2015 Social Engineering Test Results Over the past 15 years, CoNetrix has performed more than 2,000 IT audits and penetration test engagements for financial institutions. Historically, most of our customers have conducted only annual security awareness training and those who tested the effectiveness of their training also generally only did so annually. An analysis of our 2015 social engineering test results confirmed what I observed as a CoNetrix IT auditor: your training is not effective enough. In 2015, failure rates for CoNetrix social engineering tests ranged from a low of 14.5 percent (employees clicked on an email phishing link) to 31 percent (employees downloaded a file after being prompted via a phone call)! Furthermore, there was almost no difference in failure rates between small and large financial institutions: • FIs under $250M – 24 percent average failure rate • FIs $250M-$750M – 23 percent average failure rate • FIs over $750M – 23 percent average failure rate This was particularly surprising because one might have expected smaller banks to do better than larger banks (fewer numbers of employees to train and probably lower turnover) or larger banks to do better than smaller banks (more resources for training, possibly a bigger target than smaller banks). The point is everyone is performing equally poorly, because a single failure on a real social engineering attack is too many. Now What? Welch concludes his article by stating, “People are no doubt the soft underbelly of any organization, and through education and awareness we can try to limit their ability to compromise network security.” Banks must cultivate a culture of security awareness rather than relying upon a single annual security awareness presentation or training course. Many banks have begun sending monthly emails, integrating short presentations about security awareness into morning meetings, sharing (sanitized) genuine phishing emails that sneak through spam filters, and distributing interesting articles online and in bank association magazines. In addition, banks should engage a competent external penetration-testing firm for security awareness/social engineering testing at least annually. And, thanks to a relatively new type of software, banks can now augment their external security awareness testing by sending their own phishing emails. This software (such as tandem Phishing by CoNetrix (https://conetrix.com/Tandem#Phishing ) allows banks to easily and economically test employees’ security awareness AND immediately train users who fail the test. So, promote a security awareness culture and consider phishing your own employees so they’ll better recognize a fraudster’s phishing attack. Keith Laughery is an account man- ager for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and tandem, a security and compliance software suite designed to help financial institutions with GLBA and other regulatory compliance. Read about our newest tandem software solution, tandem Phishing, at https://conetrix. com/Tandem#Phishing or contact Laughery at (800) 356-6568 or klaughery@conet- rix.com .