A New Approach To Combat Phishing

Why are we still relying on training tired and stressed people on a complex topic instead of searching for a technical solution? Providing employees with security training can do only so much. In the last couple of months, we’ve seen a number of massive data breaches that started with a simple email failure.

Why is providing training to combat phishing a failing strategy?

For example, take the DocuSign breach earlier this year: Emails from “dse@docus.com” began arriving in inboxes, claiming to be either a document that had been completed or one that was awaiting a final signature. These messages looked strikingly close to real DocuSign emails, they were so convincing that millions of users were tricked into clicking on the phishing link in the email.

It’s likely that many of the people who clicked had received security awareness training of some kind, but despite their best efforts, the training failed and they became victims.

In addition to the DocuSign breach, criminal hackers were recently successful in fooling a number of top White House officials and other government workers with impersonation attacks.

Given the nature of their work, all of the victims had previously received cybersecurity awareness training. That the attackers were able to trick some of the highest-profile targets in the United States further proves that people are overwhelming susceptible to highly targeted deception-based attacks.

Pre-emptively “phishing” your own employees with simulated attack emails and educating those who click on links with a training video is an outdated approach that doesn’t meaningfully increase cyber resilience. Instead, it positions the IT security team as an agitator and source of humiliation for some employees.

Why is phishing so prevalent and hard to protect against?

Email is still the single most effective and commonplace way of reaching someone in the business world. Today’s complex ecosystem of email endpoints, spanning both company- and employee-owned tablets, phones, work laptops, home computers and phones, means email access is ubiquitous, and people are addicted to constantly refreshing and checking for updates 24 hours a day, seven days a week.

Employees are likely checking email every waking hour, if not more, and the intense cognitive load this places on them can preclude them from deep thoughtful reflection before taking action on and/or responding to mail.
 
When stressed-out, overwhelmed people with emails all over the place try to make complex decisions on a continuous basis, it’s inevitable that mistakes will happen. We're only human, after all.

And this is just the typical employee. What about your security team? Security professionals are already hammered. You can’t possibly hire people to monitor and analyze all corporate email, it’s just unsustainable.  

On average, .02 percent of all inbound email contains threat characteristics of phishing. If you’re an enterprise organisation with 50,000 employees on staff, that results in almost 4,000 potential threats per week.

Assuming an estimated five minutes of review time per email, you’ll need eight infosec employees working full-time, 24 hours a day to process this information. Or you could hire 16 people with $125k salaries each, which then makes handling email a multimillion-dollar problem.

Why do you suggest we have to change the compliance story?

Right now, cybersecurity and compliance do not smoothly coincide. In cybersecurity, the biggest compliance concern is typically centered around “not going to jail.” If your company is ever breached, you’ll have to show investigators what kind of protections you put in place to guard customer data.

If you can show you were aware email was a problem and that you invested in security training for employees, then investigators can check those boxes. Meeting compliance doesn’t solve our cybersecurity problems, but for a CSO who is focused on risk reduction, it mitigates blame from the board.

What do we need to ask and think about if we want to get better security results?

We need to strip away all the buzzwords and ask this question to get better results: How do we create force multipliers in cybersecurity? The answer is automation. The threat surface is growing, and cybercriminals are becoming more sophisticated.

They’re utilising threat tactics that have made it increasingly difficult for organisations to protect themselves at scale. Cyber criminals are putting pressure on businesses by increasing the volume of these kinds of targeted attacks, dramatically outpacing even the world’s largest security teams’ ability to keep up.

Through the use of automation tools, security leaders can help their teams more efficiently manage the overwhelming number of alerts and potential vulnerabilities they face on a daily basis. Programmatically remediating low-level threats enables staff to prioritise investigation of critical threats that require human judgement.

What do security leaders need to do to start this journey?

The essential first step here is one of recognition: Good employees acting upon good intentions can make poor decisions about security. This is true no matter how well trained they are. Social status, time constraints and urgency increase psychological pressure to respond to seemingly legitimate requests for which training users is insufficient.

Often, the challenge for security is that of time. Given infinite resources, all attacks are addressable. The reality of inbound threat exceeds capacity for most enterprises.

Accordingly, security leaders need to use technology to ease the burden on IT teams while also looking for ways to further reduce risk for employees.

Security leaders should look through their cybersecurity policies closely to see if there are areas that are either overly manual (i.e. reviewing all emails with threat characteristics) or take up a lot of time with little value to the overall business.

CSO:

You Might Also Read: 

Canadian University Hit For $12m Phishing Scam:

Google Neutralizes Phishing Scam:

« Facial Recognition Works on iPhone X. Sometimes.
Chinese & S. Korean Regulators Says ICO Investors At Risk »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Cavirin

Cavirin

Cavirin’s Automated Risk Analysis Platform reduces risk and automates security and compliance.

Advanced Systems International SAC

Advanced Systems International SAC

Advanced Systems international is a global company dedicated to data security software design, development, support, and licensing.

CSIRT GOV - Poland

CSIRT GOV - Poland

Computer Security Incident Response Team CSIRT GOV, run by the Head of the Internal Security Agency, acts as the national CSIRT responsible for coordinating the response to computer incidents.

Corvus Insurance

Corvus Insurance

Corvus' mission is to create a safer, more productive world through technology-enabled commercial insurance.

BlackRidge Technology

BlackRidge Technology

BlackRidge Technology develops, markets and supports a family of products that provide a next generation cyber security solution for protecting enterprise networks and cloud services.

Intel

Intel

Intel products are engineered with built-in security technologies to help protect potential attack surfaces.

Secure Diversity

Secure Diversity

Secure Diversity is an innovative non-profit organization with leaders that think out of the box to create strategies & solutions to increase diversity in the cybersecurity industry.

Ethiopian Cybersecurity Association (ECySA)

Ethiopian Cybersecurity Association (ECySA)

ECySA was formed to play an influential part in the ongoing and dawning cybersecurity practices of Ethiopia, efficiently creating public and private awareness on all kinds of cyber risks and threats.

iNovex

iNovex

iNovex is a community of innovators that work together to solve hard problems. We partner with you to meet problems head-on and push boundaries with technology solutions.

Cyber Industrial Networks

Cyber Industrial Networks

Cyber Industrial Networks objective is to service the needs of industry in achieving reliable, robust and secure infrastructure that supports productivity.

DuckDuckGoose

DuckDuckGoose

DuckDuckGoose offer advanced solutions to protect against manipulated videos, images, voices and texts.

L&T Technology Services (LTTS)

L&T Technology Services (LTTS)

L&T Technology Services Limited (LTTS) is a global leader in Engineering and R&D (ER&D) services.

CESAR

CESAR

CESAR is one of the premier R+D and innovation centers in Brazil and a designated Cybersecurity Competence Center.

Capzul

Capzul

Capzul are transforming the network security landscape with a new approach; creating virtually impenetrable networks, precluding cybercriminal attacks on your network ecosystem.

Synersoft BLACKbox

Synersoft BLACKbox

Synersoft, the maker of path-breaking and disruptive technology for SMEs, now branded as BLACKbox, is an incubated and invested portfolio company of CIIE - IIM-Ahmedabad.

Black Cipher Security

Black Cipher Security

Black Cipher is a New Jersey-based cybersecurity and incident response consulting firm.