A New Approach To Combat Phishing

Why are we still relying on training tired and stressed people on a complex topic instead of searching for a technical solution? Providing employees with security training can do only so much. In the last couple of months, we’ve seen a number of massive data breaches that started with a simple email failure.

Why is providing training to combat phishing a failing strategy?

For example, take the DocuSign breach earlier this year: Emails from “dse@docus.com” began arriving in inboxes, claiming to be either a document that had been completed or one that was awaiting a final signature. These messages looked strikingly close to real DocuSign emails, they were so convincing that millions of users were tricked into clicking on the phishing link in the email.

It’s likely that many of the people who clicked had received security awareness training of some kind, but despite their best efforts, the training failed and they became victims.

In addition to the DocuSign breach, criminal hackers were recently successful in fooling a number of top White House officials and other government workers with impersonation attacks.

Given the nature of their work, all of the victims had previously received cybersecurity awareness training. That the attackers were able to trick some of the highest-profile targets in the United States further proves that people are overwhelming susceptible to highly targeted deception-based attacks.

Pre-emptively “phishing” your own employees with simulated attack emails and educating those who click on links with a training video is an outdated approach that doesn’t meaningfully increase cyber resilience. Instead, it positions the IT security team as an agitator and source of humiliation for some employees.

Why is phishing so prevalent and hard to protect against?

Email is still the single most effective and commonplace way of reaching someone in the business world. Today’s complex ecosystem of email endpoints, spanning both company- and employee-owned tablets, phones, work laptops, home computers and phones, means email access is ubiquitous, and people are addicted to constantly refreshing and checking for updates 24 hours a day, seven days a week.

Employees are likely checking email every waking hour, if not more, and the intense cognitive load this places on them can preclude them from deep thoughtful reflection before taking action on and/or responding to mail.
 
When stressed-out, overwhelmed people with emails all over the place try to make complex decisions on a continuous basis, it’s inevitable that mistakes will happen. We're only human, after all.

And this is just the typical employee. What about your security team? Security professionals are already hammered. You can’t possibly hire people to monitor and analyze all corporate email, it’s just unsustainable.  

On average, .02 percent of all inbound email contains threat characteristics of phishing. If you’re an enterprise organisation with 50,000 employees on staff, that results in almost 4,000 potential threats per week.

Assuming an estimated five minutes of review time per email, you’ll need eight infosec employees working full-time, 24 hours a day to process this information. Or you could hire 16 people with $125k salaries each, which then makes handling email a multimillion-dollar problem.

Why do you suggest we have to change the compliance story?

Right now, cybersecurity and compliance do not smoothly coincide. In cybersecurity, the biggest compliance concern is typically centered around “not going to jail.” If your company is ever breached, you’ll have to show investigators what kind of protections you put in place to guard customer data.

If you can show you were aware email was a problem and that you invested in security training for employees, then investigators can check those boxes. Meeting compliance doesn’t solve our cybersecurity problems, but for a CSO who is focused on risk reduction, it mitigates blame from the board.

What do we need to ask and think about if we want to get better security results?

We need to strip away all the buzzwords and ask this question to get better results: How do we create force multipliers in cybersecurity? The answer is automation. The threat surface is growing, and cybercriminals are becoming more sophisticated.

They’re utilising threat tactics that have made it increasingly difficult for organisations to protect themselves at scale. Cyber criminals are putting pressure on businesses by increasing the volume of these kinds of targeted attacks, dramatically outpacing even the world’s largest security teams’ ability to keep up.

Through the use of automation tools, security leaders can help their teams more efficiently manage the overwhelming number of alerts and potential vulnerabilities they face on a daily basis. Programmatically remediating low-level threats enables staff to prioritise investigation of critical threats that require human judgement.

What do security leaders need to do to start this journey?

The essential first step here is one of recognition: Good employees acting upon good intentions can make poor decisions about security. This is true no matter how well trained they are. Social status, time constraints and urgency increase psychological pressure to respond to seemingly legitimate requests for which training users is insufficient.

Often, the challenge for security is that of time. Given infinite resources, all attacks are addressable. The reality of inbound threat exceeds capacity for most enterprises.

Accordingly, security leaders need to use technology to ease the burden on IT teams while also looking for ways to further reduce risk for employees.

Security leaders should look through their cybersecurity policies closely to see if there are areas that are either overly manual (i.e. reviewing all emails with threat characteristics) or take up a lot of time with little value to the overall business.

CSO:

You Might Also Read: 

Canadian University Hit For $12m Phishing Scam:

Google Neutralizes Phishing Scam:

« Facial Recognition Works on iPhone X. Sometimes.
Chinese & S. Korean Regulators Says ICO Investors At Risk »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Information Risk Management (IRM)

Information Risk Management (IRM)

IRM is an international consultancy dedicated to helping organisations solve key business issues. We provide strategic cyber security advice across a wide range of sectors.

Pindrop Security

Pindrop Security

Pindrop solutions are leading the way to the future of voice by establishing the standard for security, identity, and trust for every voice interaction.

Scientific Cyber Security Association (SCSA)

Scientific Cyber Security Association (SCSA)

The main goal of Scientific Cyber Security Association is the development of scientific and practical directions of cyber security.

ES2

ES2

ES2 is a consulting organisation specialising in Enterprise Security and Solutions Services.

Infosec Train

Infosec Train

Infosec Train provide professional training, certifications & professional services related to all spheres of Information Technology and Cyber Security.

ThreatGen

ThreatGen

ThreatGEN™ works with your team to improve your resiliency and industrial cybersecurity capabilities through an innovative and modernized approach to training and services.

Siemens

Siemens

Siemens Industrial Security Services provide solutions for cybersecurity in automation environments based on the recommendations of the international standard IEC 62443.

DisruptOps

DisruptOps

Built for today’s cloud-scale enterprises, DisruptOps’ Cloud Detection and Response platform automates assessment and remediation procedures of critical cloud security issues.

Future Technology Systems Company (FutureTEC)

Future Technology Systems Company (FutureTEC)

FutureTEC is a leading Information Technology Solutions Provider, delivering world-class Information Security, Information Management, and Business Solutions.

Canopius Group

Canopius Group

Canopius is a global specialty lines insurance and reinsurance company and one of the top 10 insurers in the Lloyd’s insurance market.

Centre for Cyber Security Research and Innovation (CSRI) - Deakin University

Centre for Cyber Security Research and Innovation (CSRI) - Deakin University

CSRI solves the cyber security threats of tomorrow, today. We work with industry and government leaders on innovative research that has real-world impact.

Tetra Defense

Tetra Defense

Tetra Defense is a leading incident response, cyber risk management and digital forensics firm.

Across Verticals

Across Verticals

Across Verticals is a boutique cyber security consulting firm that specializes in holistic, deeply technical and end to end cyber security advisory services based on industry best practices.

McKinsey & Company

McKinsey & Company

McKinsey & Company is a global management consulting firm. We are trusted advisor to the world's leading businesses, governments, and institutions.

Siometrix

Siometrix

Siometrix addresses digital identity fraud. It steals your attacker's time and prevents many prevalent attack vectors.

Vultara

Vultara

Vultara provides web-based product security risk management tools for electronics manufacturers.