Last week, part 2 of our 4 part series, we discussed the limitations in combating Phishing when your IT team is resource constrained. But when suspicious emails make their way to your users’ inbox, are you confident in their response – are your users careless or curious clickers? If they receive a spam or Phishing email, do you know that they are situationally aware before opening the email? Even if the email is opened, are you confident that they will know not to click embedded links or download/open email attachments that may install Ransomware, cause business email compromise (BEC) or install other malware that could lead to a data breach?
Some users might simply be careless.
Not purposefully negligent or intending to cause harm to the company, but in the sense that they are hurried and under pressure to do their job. Their mind is already juggling 10 other tasks and they simply don’t give too much conscious thought to opening and engaging with an email. After all, with the amount of email each user has to read and respond to, the act of opening and filtering them could be a repetitive and rushed task. In a survey of IT teams, the 2017 State of the Network1 reported 63% saw an increase in email and browser malware and 52% acknowledged an increase in the sophistication of security threats. Specific to Phishing, the 2017 Ransomware Report2 shows that 67% of Phishing attacks that are successful in tricking employees are spoofing and impersonation based. So when users are rushed to clear their inbox, simple carelessness on their part doesn’t help in catching a bad email from a “supposed” known and trusted source.
Some users might be curious.
Others might have an internal trigger to “stop and think” before clicking on a suspicious email, but still be curious enough to learn what the email is about — carefully engaging because they are confident in their actions and ability to decipher the situation. In this case, would they know how far to go before stopping their engagement with the email? Some users are conditioned to assume that if the email got through the gateway that it’s ok to interact with. Others might know that some successful Phishing emails actually do evade the gateway security, but assume their endpoint security will protect them as a secondary layer of defense and therefore it’s safe to click on. It is a valid assumption if the endpoint security has built in web security features and advanced file analysis tools and is defending against known threats, but if you use the same vendor for gateway and endpoint security, the scanning engine is probably the same. So if a new Phishing threat evades the gateway, there’s a chance it could also evade the endpoint. And even if the endpoint security solution has non-signature based detection and prevention like machine learning and behavior-based scanning, there still isn’t a direct protection method against social engineering itself.
Boosting employee security awareness.
The 2017 Verizon Data Breach Investigation Report3 shows that 7.3% of users (across multiple sources) were successfully phished. The report goes on to say that “in a typical company (with 30 or more employees), about 15% of all unique users who fell victim once, also took the bait a second time — 3% of all unique users clicked more than twice, and less than 1% clicked more than three times.” There are Security Awareness Training companies that provide Phishing simulation training for organizations and they could also provide stats to show the number of users successfully phished in a training scenario. Either way, it’s a problem for the organization to address.
An article by the Identity Management Institute4 writes, “Companies are failing to prevent cyber intrusions because they fail to address the weakest link in the information security chain which is people (employees, contractors, customers, and vendors) who have access to systems.” The article also suggests that many people ignore reports showing that human error is a main cause for a data breach because they think network security solutions are the only viable solution to stop the hacker attacks.
The 2017 Ransonware Report2 shows that 51% of surveyed IT professionals are only “slightly to moderately confident” of their organization’s defense and that 40% don’t have an Incident Response team to investigate and contain security problems. Human behavior is something that’s hard to defend against and that’s where employee security awareness training comes in.
An important part of your organization’s cyber security program is employee security awareness training. It should teach them why hackers want access to their data, how they propagate their attacks, what vectors they go after, what the ramifications are to the organization if successful, and lastly, what steps the employees can take to help report and mitigate possible threats. The 2017 Ransomware Report2 indicated that 72% of surveyed IT professionals confirm their organizations have a training program in place “to educate employees and raise awareness for defense”. So while this is a good thing, that means that with 28% reporting they don’t have a training program, there is still room for improvement in the effort to help stop suspicious emails at the user level before they result in something bad.
There are links to additional free resources below that can help you learn more about Phishing and you can also check out EdgeWave Anti-Phishing Solutions: https://www.edgewave.com/solutions/phishing/
Part 4 of this 4-part series will wrap up with some ideas for helping you build a stronger defense in combatting Phishing attacks. What additional layers of security can be easily added? How can you empower your employees to be part of the solution and not the problem in protecting against a data breach due to a Phishing attack?
National Cyber Security Alliance (NCSA): https://staysafeonline.org/
STOP. THINK. CONNECT.™ is the global online safety awareness campaign to help all digital citizens stay safer and more secure online: https://www.stopthinkconnect.org/
Department of Homeland Security Cybersecurity Toolkits: https://www.dhs.gov/stopthinkconnect-toolkit#
Report Phishing: https://www.antiphishing.org/report-phishing/overview/
1 – 2017 State of the Network: https://www.prnewswire.com/news-releases/nearly-90-percent-of-enterprise-network-teams-spend-time-troubleshooting-security-issues-80-percent-report-more-time-spent-on-security-vs-last-year-300436830.html
2 – 2017 Ransomware Report : https://www.cybersecurity-insiders.com/portfolio/2017-ransomware-report/
3 – 2017 Verizon Data Breach Investigation Report: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/#report
4 – Identity Management Institute: https://www.prnewswire.com/news-releases/employee-errors-cause-most-data-breach-incidents-in-cyber-attacks-300342879.html