A New Approach To Combat Phishing

Why are we still relying on training tired and stressed people on a complex topic instead of searching for a technical solution? Providing employees with security training can do only so much. In the last couple of months, we’ve seen a number of massive data breaches that started with a simple email failure.

Why is providing training to combat phishing a failing strategy?

For example, take the DocuSign breach earlier this year: Emails from “dse@docus.com” began arriving in inboxes, claiming to be either a document that had been completed or one that was awaiting a final signature. These messages looked strikingly close to real DocuSign emails, they were so convincing that millions of users were tricked into clicking on the phishing link in the email.

It’s likely that many of the people who clicked had received security awareness training of some kind, but despite their best efforts, the training failed and they became victims.

In addition to the DocuSign breach, criminal hackers were recently successful in fooling a number of top White House officials and other government workers with impersonation attacks.

Given the nature of their work, all of the victims had previously received cybersecurity awareness training. That the attackers were able to trick some of the highest-profile targets in the United States further proves that people are overwhelming susceptible to highly targeted deception-based attacks.

Pre-emptively “phishing” your own employees with simulated attack emails and educating those who click on links with a training video is an outdated approach that doesn’t meaningfully increase cyber resilience. Instead, it positions the IT security team as an agitator and source of humiliation for some employees.

Why is phishing so prevalent and hard to protect against?

Email is still the single most effective and commonplace way of reaching someone in the business world. Today’s complex ecosystem of email endpoints, spanning both company- and employee-owned tablets, phones, work laptops, home computers and phones, means email access is ubiquitous, and people are addicted to constantly refreshing and checking for updates 24 hours a day, seven days a week.

Employees are likely checking email every waking hour, if not more, and the intense cognitive load this places on them can preclude them from deep thoughtful reflection before taking action on and/or responding to mail.
 
When stressed-out, overwhelmed people with emails all over the place try to make complex decisions on a continuous basis, it’s inevitable that mistakes will happen. We're only human, after all.

And this is just the typical employee. What about your security team? Security professionals are already hammered. You can’t possibly hire people to monitor and analyze all corporate email, it’s just unsustainable.  

On average, .02 percent of all inbound email contains threat characteristics of phishing. If you’re an enterprise organisation with 50,000 employees on staff, that results in almost 4,000 potential threats per week.

Assuming an estimated five minutes of review time per email, you’ll need eight infosec employees working full-time, 24 hours a day to process this information. Or you could hire 16 people with $125k salaries each, which then makes handling email a multimillion-dollar problem.

Why do you suggest we have to change the compliance story?

Right now, cybersecurity and compliance do not smoothly coincide. In cybersecurity, the biggest compliance concern is typically centered around “not going to jail.” If your company is ever breached, you’ll have to show investigators what kind of protections you put in place to guard customer data.

If you can show you were aware email was a problem and that you invested in security training for employees, then investigators can check those boxes. Meeting compliance doesn’t solve our cybersecurity problems, but for a CSO who is focused on risk reduction, it mitigates blame from the board.

What do we need to ask and think about if we want to get better security results?

We need to strip away all the buzzwords and ask this question to get better results: How do we create force multipliers in cybersecurity? The answer is automation. The threat surface is growing, and cybercriminals are becoming more sophisticated.

They’re utilising threat tactics that have made it increasingly difficult for organisations to protect themselves at scale. Cyber criminals are putting pressure on businesses by increasing the volume of these kinds of targeted attacks, dramatically outpacing even the world’s largest security teams’ ability to keep up.

Through the use of automation tools, security leaders can help their teams more efficiently manage the overwhelming number of alerts and potential vulnerabilities they face on a daily basis. Programmatically remediating low-level threats enables staff to prioritise investigation of critical threats that require human judgement.

What do security leaders need to do to start this journey?

The essential first step here is one of recognition: Good employees acting upon good intentions can make poor decisions about security. This is true no matter how well trained they are. Social status, time constraints and urgency increase psychological pressure to respond to seemingly legitimate requests for which training users is insufficient.

Often, the challenge for security is that of time. Given infinite resources, all attacks are addressable. The reality of inbound threat exceeds capacity for most enterprises.

Accordingly, security leaders need to use technology to ease the burden on IT teams while also looking for ways to further reduce risk for employees.

Security leaders should look through their cybersecurity policies closely to see if there are areas that are either overly manual (i.e. reviewing all emails with threat characteristics) or take up a lot of time with little value to the overall business.

CSO:

You Might Also Read: 

Canadian University Hit For $12m Phishing Scam:

Google Neutralizes Phishing Scam:

« Facial Recognition Works on iPhone X. Sometimes.
Chinese & S. Korean Regulators Says ICO Investors At Risk »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CORDIS

CORDIS

CORDIS is the European Commission's primary public repository and portal to disseminate information on all EU-funded research projects and their results.

Talend

Talend

Talend is a leader in cloud and big data integration software. Applications include Risk and Compliance management.

FDM Group

FDM Group

FDM Group is an international Professional services company with a focus on IT. Services offered include Software Testing, and Information Security with a focus on operational security and compliance.

Ammune.ai

Ammune.ai

Ammune.ai (formerly L7 Defense) helps organizations to protect their infrastructure, applications, customers, employees, and partners against the growing risk of API-borne attacks.

ShiftLeft

ShiftLeft

ShiftLeft is a continuous application security platform, purpose-built for the modern software development life cycle.

Hallam-ICS

Hallam-ICS

Hallam-ICS designs MEP systems for facilities and plants, control and automation solutions, and ensures safety and regulatory compliance.

GlobalPass

GlobalPass

Covering 200+ countries with 78 000 databases, GlobalPass provides sophisticated facial biometrics verification and deep screening, delivering peace of mind to every client.

High Security Center (HSC)

High Security Center (HSC)

High Security Center provide real-time threat protection. We protect your company from targeted and persistent attacks using technologies such as Machine Learning and Behavioral Analysis.

MCPc

MCPc

MCPc improves the security and well-being of our clients. We protect data, manage the complexity and sustainability of technology, empower employee performance, and ultimately reduce business risk.

Stairwell

Stairwell

Stairwell is building a new approach to cybersecurity around a vision that all security teams should be able to determine what’s good, what’s bad, and why.

Tego Cyber

Tego Cyber

Tego Cyber delivers a state-of-the-art threat intelligence platform that helps enterprises deploy the proper resolution to an identified threat before the enterprise is compromised.

Comcast Business

Comcast Business

Comcast Business keeps businesses ready for what’s next with powerful connectivity, advanced cybersecurity solutions, and the right people at your side.

Spike Reply

Spike Reply

Spike Reply is the company within the Reply Group focusing on cybersecurity and personal data protection.

AutoSec

AutoSec

AutoSec supports the FFI program Electronics, Software and Communication by dissemination and exploitation of the results of projects related to automotive cybersecurity.

Tonex

Tonex

Tonex providing industry-leading technology training, courses, seminars, workshops, and consulting services to companies and government organizations around the world.

Cynch Security

Cynch Security

Cynch Security are passionate about building a world where every business is resilient to cybersecurity risks, no matter what their size.