Managing phishing – Weaponising Your Workforce
How do you manage something which is etched into human personality and behaviour; the act of wanting to comply with authority and reacting to urgent matters with the utmost interest? Essentially you don’t, you engineer the environment, situations and working processes to complement these weaknesses and thus strengthen them.
You can have the world’s best email filters, endpoint protection and most accurate proxy, but essentially all these technologies are doomed to fail when put into the context of phishing email and URL detection. Phishing emails are designed to replicate genuine emails; to achieve 100% accuracy in the process of detection of phishing emails and phishing domains - compromise and sacrifices must be made. Genuine emails will be detected as phishing, impacting work efficiency and ultimately affecting the success of a business.
In my career to date, I have seen a broad range of phishing tactics used; and I can honestly say that the development of such tactics has exponentially evolved into a threat which is the starting point of the majority of data breaches and cyber-attacks. Verizon reported that 90% of incidences and breaches included a phishing element. To make matters worse, the volume of such emails has also exponentially risen, according to APWG, there has been 1,734,948 more phishing campaigns reported in the last 5 years than the period 2005 -2014.
Your typical 'Nigerian Prince' offering a cut of his fortune in repayment for transferring money has evolved into your Netflix password has expired to more recently a COVID-19 related policy requiring you to sign in to your work Office365 account and sign by close of business.
To summarise, phishing email volumes are increasing, the level of relevance and success of phishing is increasing and the cost of remediating issues related to successful phishing attacks is also increasing… Not a great prospect.
How do we combat these attacks?
Phishing has long been a problem which cannot be merely brushed under the carpet of IT and sysadmins. The impact of a breach is so public now, due to GDPR law; one compromised user could result in years of financial hardship due to ICO GDPR fines.
This is where education and simulations play its pièce de résistance…
The art of education needs testing. How can you test your education is reaching the right employees and that its even having an effect? Carrying out phishing simulations is almost a requirement for the success of cyber education.
It can be viewed as a continuous loop - starting with a phishing simulation, this reveals who is most likely to click, who is most likely to submit data to an attacker and who is most likely to report the email.
This in turn reveals your high-risk users. Of course, stricter security around their accounts can be implemented with increased SIEM monitoring and stricter rules on their email accounts, but as mentioned before technical measures alone aren’t enough to stop phishing threats.
This is where education comes to fruition; those who fail simulations and take undesirable actions with simulation phishing emails undergo training to better equip and nurture their work behaviours. The training complements the simulations and the simulations complement the training.
A human approach to a human centred security issue.
You can learn more about managing phishing attacks in our FREE 2020 Cyber Security Priorities eBook.