Skip to main content

Cost-Effective Cybersecurity Strategies

Statistics show that the majority of threats originate from a 20-year-old attack vector when combined with more advanced techniques such as spear-phishing.

Fishing hook through a stack of credit cards

This is the first of a five-part series asking the security division technical leaders what are the most frequently asked questions about security.

The five most asked questions are as follows.

  1. What is the single most cost-effective thing I could implement in my organization to increase my cyber security posture?
  2. Will we ever get rid of passwords in our lifetime?
  3. What is the one emerging technologies that I should budget for?
  4. How will an investment in big data, data lakes, or data mining significantly change my security posture?
  5. I don't know what I don't know about my security weaknesses. How does your technology tell me what I don't know?

Question 1: What is the single most cost-effective thing I could implement in my organization to increase my cybersecurity posture?

While trends such as advanced persistence threats (APT), ransomware, and fileless malware garner a lot of industry press, statistics show that the majority of threats, including those enumerated above, originate from a 20-year-old attack vector when combined with more advanced techniques such as spear-phishing. Ironically, phishing is a problem whose most effective defense is not a specific tool or technology—but a well-trained workforce. In fact, a recent study by the Ponoemon Institute comparing the cost of phishing attacks to the benefit of employee training found that a training program from one vendor resulted in a net return on investment of approximately 50 times. This doesn’t imply that additional security technologies will not increase the posture of an organization; rather, it simply implies the most significant and possibly cost-effective program an organization can execute is a comprehensive training and education program. Furthermore, a program that operates at all levels with different perspectives is essential. This would include end users, executives and financial administrators.

End User Training

The most common attack vector used against organizations is through endpoint devices associated with users of corporate and web-based applications. These are easier targets because of the constant changing landscape of endpoints and reduced security awareness of the end user. The landscape is constantly changing as the user may be installing third-party applications downloaded from the network. The end user is not a security expert, and generally unaware of how an attack, breach, infection or data loss could occur. Comprehensive understanding of attack vectors is unreasonable for the average end user. However, education on how an attack occurs and its warning signs, and accountability as the last line of defense for preventing a breach is paramount. The user must be considered the last line of defense, because they allow attacks to bypass conventional security measures based on the actions of an end user.

End user training should focus on five distinct areas:

  1. The basic components of an attack, such as how infections occur from websites, advertisements, social networks, online reviews, messaging and connected peripherals such as USB devices and mobile phones.
  2. The warning signs and how to recognize malicious websites, emails and links embedded in conversations. The ability to recognize, pause, consider the warning signs and proceed after considering the benefit of the task you are attempting.
  3. How to recognize fraudulent conversations over any messaging medium along with the warning signs of urgency, deception and uncorroborated requests.
  4. How Internet of Things devices such as smart-home devices, surveillance cameras and appliances can be leveraged against the user and the organization if not properly secured, and how to properly secure them via simple mechanisms such as changing the default passwords and not allowing more access than necessary.
  5. The importance of end user accountability of maintaining the endpoint, application updates, password management, data export / import and physical protection, as well as how the user’s home and personal devices can be used as a launch-point to attack the organization if they fail to maintain the same vigilance after-hours on those devices.

Executive and Financial Administration Training

Executives are specifically targeted by direct phishing campaigns as they have the broadest privileges to financial and private data corporate assets. Most successful executive phishing attacks start with a compromised email account of an executive. An attacker gains privileged access to an email account and begins a dialogue with a financial executive. Since the email is from a colleague, a significant level of trust has been established. We have all received the email from the Russian prince who only needs access to our back account to store a significant amount of money until he can get a VISA for travel. The majority of us recognize the ridiculousness of this type of request, however, a financial demand form a trusted executive is treated quite differently. It usually involves a bank transfer of less the $250,000 and is a stopgap for a short-term crisis. In a recent attack, a compromised email from the CEO of the company requested a payment be made to a reseller by the CFO. The email stated that the reseller was integral to a $4 million deal and had been short-changed on the previous quarter’s royalty payments. This payment deficit needed to be reconciled before they would agree to discounts associated with the larger deal.

Corporate phishing attacks almost always have a sense of urgency and involve reconciliation with an existing account towards a lager deal or thwart embarrassment by an executive. Remember, the attacker has years of corporate email records to both fabricate and corroborate extortion.

Executive training should focus on six distinct areas.

  1. Executive extortion starts with compromised credentials of a communication system such as email, chats, or collaborative environments.
  2. Executive extortion starts with compromised credentials of a communication system such as email, chats, or collaborative environments.
  3. Executives must be the most diligent practitioners of password maintenance policies.
  4. Messages that contain both a sense of urgency and monetary request should be suspect.
  5. Messages that ask for the identity and responsibility of colleagues should be suspect.
  6. Informal requests can never circumvent the financial procedures or accountabilities of an institution.

Training Combined With Realistic Drills

Training should start with every new employee and be refreshed on a yearly basis to keep up to date of the latest phishing attacks. Both companies and technology exist that send realistic phishing attacks to employees to “test” the awareness of both the executives and end-users. For example, an email ( might be sent to all employees to refresh their personal data through the new HR portal. A form very similar to the company’s website will be presented if they click on the link in the email that requests their username and password. Employees who click on the link and entering personal identification data will be flagged by the decoy and requested to attend a security-training program. These applications may also have an automated test that presents differing scenarios to employees that should be identified as suspicious or insecure. Both training and validated results of the training through continual testing of the user base are essential to effectively thwarting phishing attacks.

IBM Systems Webinar Icon

View upcoming and on-demand (IBM Z, IBM i, AIX, Power Systems) webinars.
Register now →