A New Approach To Combat Phishing

Why are we still relying on training tired and stressed people on a complex topic instead of searching for a technical solution? Providing employees with security training can do only so much. In the last couple of months, we’ve seen a number of massive data breaches that started with a simple email failure.

Why is providing training to combat phishing a failing strategy?

For example, take the DocuSign breach earlier this year: Emails from “dse@docus.com” began arriving in inboxes, claiming to be either a document that had been completed or one that was awaiting a final signature. These messages looked strikingly close to real DocuSign emails, they were so convincing that millions of users were tricked into clicking on the phishing link in the email.

It’s likely that many of the people who clicked had received security awareness training of some kind, but despite their best efforts, the training failed and they became victims.

In addition to the DocuSign breach, criminal hackers were recently successful in fooling a number of top White House officials and other government workers with impersonation attacks.

Given the nature of their work, all of the victims had previously received cybersecurity awareness training. That the attackers were able to trick some of the highest-profile targets in the United States further proves that people are overwhelming susceptible to highly targeted deception-based attacks.

Pre-emptively “phishing” your own employees with simulated attack emails and educating those who click on links with a training video is an outdated approach that doesn’t meaningfully increase cyber resilience. Instead, it positions the IT security team as an agitator and source of humiliation for some employees.

Why is phishing so prevalent and hard to protect against?

Email is still the single most effective and commonplace way of reaching someone in the business world. Today’s complex ecosystem of email endpoints, spanning both company- and employee-owned tablets, phones, work laptops, home computers and phones, means email access is ubiquitous, and people are addicted to constantly refreshing and checking for updates 24 hours a day, seven days a week.

Employees are likely checking email every waking hour, if not more, and the intense cognitive load this places on them can preclude them from deep thoughtful reflection before taking action on and/or responding to mail.
 
When stressed-out, overwhelmed people with emails all over the place try to make complex decisions on a continuous basis, it’s inevitable that mistakes will happen. We're only human, after all.

And this is just the typical employee. What about your security team? Security professionals are already hammered. You can’t possibly hire people to monitor and analyze all corporate email, it’s just unsustainable.  

On average, .02 percent of all inbound email contains threat characteristics of phishing. If you’re an enterprise organisation with 50,000 employees on staff, that results in almost 4,000 potential threats per week.

Assuming an estimated five minutes of review time per email, you’ll need eight infosec employees working full-time, 24 hours a day to process this information. Or you could hire 16 people with $125k salaries each, which then makes handling email a multimillion-dollar problem.

Why do you suggest we have to change the compliance story?

Right now, cybersecurity and compliance do not smoothly coincide. In cybersecurity, the biggest compliance concern is typically centered around “not going to jail.” If your company is ever breached, you’ll have to show investigators what kind of protections you put in place to guard customer data.

If you can show you were aware email was a problem and that you invested in security training for employees, then investigators can check those boxes. Meeting compliance doesn’t solve our cybersecurity problems, but for a CSO who is focused on risk reduction, it mitigates blame from the board.

What do we need to ask and think about if we want to get better security results?

We need to strip away all the buzzwords and ask this question to get better results: How do we create force multipliers in cybersecurity? The answer is automation. The threat surface is growing, and cybercriminals are becoming more sophisticated.

They’re utilising threat tactics that have made it increasingly difficult for organisations to protect themselves at scale. Cyber criminals are putting pressure on businesses by increasing the volume of these kinds of targeted attacks, dramatically outpacing even the world’s largest security teams’ ability to keep up.

Through the use of automation tools, security leaders can help their teams more efficiently manage the overwhelming number of alerts and potential vulnerabilities they face on a daily basis. Programmatically remediating low-level threats enables staff to prioritise investigation of critical threats that require human judgement.

What do security leaders need to do to start this journey?

The essential first step here is one of recognition: Good employees acting upon good intentions can make poor decisions about security. This is true no matter how well trained they are. Social status, time constraints and urgency increase psychological pressure to respond to seemingly legitimate requests for which training users is insufficient.

Often, the challenge for security is that of time. Given infinite resources, all attacks are addressable. The reality of inbound threat exceeds capacity for most enterprises.

Accordingly, security leaders need to use technology to ease the burden on IT teams while also looking for ways to further reduce risk for employees.

Security leaders should look through their cybersecurity policies closely to see if there are areas that are either overly manual (i.e. reviewing all emails with threat characteristics) or take up a lot of time with little value to the overall business.

CSO:

You Might Also Read: 

Canadian University Hit For $12m Phishing Scam:

Google Neutralizes Phishing Scam:

« Facial Recognition Works on iPhone X. Sometimes.
Chinese & S. Korean Regulators Says ICO Investors At Risk »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

TrustedIA

TrustedIA

TrustedIA is a cyber and protective security company. Our mission is to help businesses protect themselves from disruptive events that can impact their successful operation.

Certus Software

Certus Software

Our Secure Data Erasure solutions protect customer data confidentiality by completely erasing it from data storage devices.

Proact IT Group

Proact IT Group

Proact is Europe's leading independent data centre and Cloud services enabler. We deliver flexible, accessible and secure IT solutions and services.

CyberVista

CyberVista

CyberVista is a cybersecurity training education and workforce development company. Our mission is to eliminate the skills gap by creating job ready professionals.

Evolve Secure Solutions

Evolve Secure Solutions

Evolve Secure Solutions is a security focused managed services provider serving private and public customers across the UK.

SlashNext

SlashNext

The SlashNext Internet Access Protection System (IAPS) provides Zero-Day protection against all internet access threats including Social Engineering & Phishing, Malware, Exploits and Callback Attacks.

GuardianKey

GuardianKey

GuardianKey is a solution to protect systems against authentication attacks.

GateKeeper Enterprise

GateKeeper Enterprise

The GateKeeper Enterprise software is an identity access management solution. Automated proximity-based authentication into computers and websites. Passwordless login and auto-lock PCs.

OSI Security

OSI Security

OSI Security's primary services include penetration testing, security auditing, web application security testing and risk management.

NetTech

NetTech

NetTech’s Managed CyberSecurity and Compliance/HIPAA services are designed to help your company prevent security breaches and quickly remediate events if they do happen to occur.

NACVIEW

NACVIEW

NACVIEW is a Network Access Control solution. It allows to control endpoints and identities that try to access the network - wired and wireless, including VPN connections.

PagerDuty

PagerDuty

PagerDuty is the central nervous system for a company’s digital operations. We identify issues in real-time and bring together the right people to respond to problems faster.

Tenable

Tenable

Organizations around the world rely on Tenable to help them understand and reduce cybersecurity risk across their attack surface—in the cloud or on-premises, from IT to OT and beyond.

Defence Innovation Accelerator for the North Atlantic (DIANA)

Defence Innovation Accelerator for the North Atlantic (DIANA)

The NATO DIANA accelerator programme is designed to equip businesses with the skills and knowledge to navigate the world of deep tech, dual-use innovation.

CyberEPQ

CyberEPQ

CyberEPQ (Cyber Extended Project Qualification) is the UK’s first and only Extended Project Qualification in Cyber Security.

Secure Halo

Secure Halo

Secure Halo has been protecting the intellectual assets and sensitive information of the federal government and private sector for 20+ years, through our proactive approach to risk and cybersecurity.