Prevention is one of the best ways to thwart a security breach in IT. But with attacks becoming more sophisticated, prevention is becoming increasingly difficult for IT departments. We asked Curt Carver, Vice Chancellor and Chief Information Officer for the Board of Regents of University System of Georgia, to share some of the ways he has helped guard against security incidents before they happen.
The Enterprisers Project (TEP): Beyond basic techniques like teaching the importance of strong passwords, how do you hope to lead your organization toward becoming more proactive about security?
Curt Carver: Part of it is building the right structure and putting the right people in place to characterize incidents. You have to be proactive and look at your logging system, triage what’s going on, and then make appropriate decisions so that your critical systems are protected. Characterize which systems are critical and which systems are not. Characterize which data needs to be protected most and ensure that you have additional protections around systems with sensitive data.
One of the things that you’re seeing in the market now is specific targeting of positions. In other words, hackers aren’t launching an attack against everyone, although they still do that, but they’re focusing more on the CEO, the CBO, and the CIO. They’re trying to see if they can compromise those individuals in a very nuanced attack.
When I was in an IT leadership role at West Point in the 2003-2004 time frame, we looked at our students and their susceptibility to spear-phishing attacks. And what we found is that the longer a student was at West Point, the more they became susceptible to phishing attacks. That’s the antithesis of education, of course; they’re supposed to get smarter about these kinds of things!
TEP: Interesting. So what did you do?
Curt Carver: We tried what was probably a traditional corporate or government response to this. We said: “Well, we just need to train them.” So we assembled them all together, we showed them a multitude of PowerPoint slides showing them the error of their ways. And that proved to be completely ineffective in changing behavior.
So what we ended up doing — and has since become more popular — is to turn spear-phishing into an interactive lesson. We created the software that allowed one student per 100 students or so to send a phishing attack against those 100 students. If the recipients of the attack actually clicked on the link, downloaded a zip file, provided their username or password, or any those types of activities, instead of the attack launching, the student who initiated the attack would be notified. Then that student could walk down the hallway, sit down with their peer and explain why it was a phishing attack.
We intentionally wouldn’t tell the rest of the IT organization at West Point when that attack was going to occur. We didn’t tell organizational leadership either. The students had control of that, and my incident response team was tested every semester as the students would launch these faux attacks. The IT organization wouldn’t know if the attack was real or internal (I mean, we could figure it out) but that was the intent — to stay honed and ready for a real attack.
We found that security incidents were nearly cut in half after we implemented the interactive lessons. In fact, the longer students were at West Point, the less susceptible they became to a phishing attack.
TEP: Those are great results. What do you think it was it about the interactive lessons that led to students being less susceptible to attacks?
Curt Carver: Making security an activity led by students, for students, allowed them to fundamentally learn and become much more sophisticated in differentiating what a spear-phishing attack was in their enterprise system, as opposed to some artificial message that you’re shown on a PowerPoint slide. It was coming into their regular work environment.
TEP: What lessons do you think IT leaders can take from that exercise today as they look for ways to educate folks in their organization about the importance of security?
Curt Carver: I would offer a few pointers:
- It needs to be active. It needs to involve all employees.
- It doesn’t need to be artificial.
- Instead, it needs to be something that has a real-world effect like it did on those students.
All in all it was a very effective program, and since then a number of institutions have emulated that approach, including commercial companies. They use that type of an approach to make their security training very active and very on target.
As you look to the future, as we have this push towards consumerization, more of that type of training is going to be needed for mobile devices and consumer devices — cell phones and tablets — so that those devices are protected against attacks going forward.
Read Curt's article, "Your next IT star could be a former employee."
Curtis A. Carver Jr., Ph.D. is the Vice Chancellor and Chief Information Officer for the Board of Regents of University System of Georgia (USG). In this capacity, he oversees a statewide educational infrastructure and service organization with more than 190 innovators and more than $75 million annual investment in higher education. He also provides technical oversight of the USG Shared Services Center. Dr. Carver has led the transformation of IT services by partnering with USG business owners, institutions, and other state agencies to jointly solve problems.
