You’ve probably heard about the serious security problems flowing from email phishing scams. Security teams around the globe are now on high alert regarding phishing attempts within their organizations and targeted spearphishing attacks directed against key staff.
What has become clear is that the bad guys #1 method to gain unauthorized access into sensitive data is to steal your logon password(s) or other authorization credentials. Put simply, they want your system access.
Why is this the top hacker technique used? Phishing is usually the path of least resistance for the bad guys to get the sensitive data they want without being detected. If they can become you, they can slowly steal the data over time and cover their tracks as they go deeper and deeper into the network.
Taking a step back, even Shakespeare understood centuries ago that people were the weakest link in security. This CSO magazine article points to those social engineering weaknesses revealed in the play Othello.
So once you click on that bad link, what happens next? Popular cybercrime techniques include hidden downloads of malware onto your system, placing keyloggers on your PC to capture keystrokes or using different forms of ransomware to extort cash from victims by encrypting your data and demanding cash for the data back.
And just in case you didn’t get the memo, the litany of major data breach stories that began with the use of phishing attacks is growing by the month.
Here are a few examples:
- Sony Hackers Used Phishing Emails To Breach Company Networks
- New Spear Phishing Campaign Pretends to be EFF
- Investigators Suspect Anthem Breach Began with ‘Phishing’ of Employees
- Email Attack on Vendor Set Up Breach At Target
- Phishing scam breach compromises data of 39K (in a large Texas hospital network)
Recovery Costs After Phishing Attacks Is High
To add fuel to the fire, a recent report by the Ponemon Institute puts the average cost of recovering from a successful phishing attack at $300,000.
So that brings us back the vital question: what can, and should, be done to strengthen our security defenses and protect and train our people against phishing attacks? When incidents do occur, how does your staff respond?
Typical Security Awareness Training Responses
As I’ve traveled around the world, I often talk to public- and private-sector security and technology leaders about many different cybersecurity problems they face. While everyone seems to have an opinion on phishing and spearphishing, there are big differences in what groups are actually doing on the ground with employees.
As in other security areas, there are the leaders, adopters and laggards. Surprisingly, one study from 2014 showed that more than half of enterprise employees have not received any security awareness training. This percentage seems too high to me…but I digress.
Starting with the laggards, I hear words like “Been there, done that, got the T-shirt.” This group just doesn’t seem to understand the urgency of this serious, evolving, phishing issue.
You may be in this group if you simplify the problem with lines like: “I just tell my customers to not click on any unsolicited email links.” Sadly this is not much more effective than yelling, “Just do the right thing,” to teenage children.
Others in this bottom group debate the merits of awareness training and may claim it offers minimal value, even though there is plenty of data to suggest otherwise.
In the next (middle) group, there is a compliance mindset. This attitude is not bad, but not enough to change behaviors either.
I am no longer surprised by those who just want the cheapest awareness training they can find. Many have a “check the box” mindset. While they certainly care and want to do the right thing, they don’t want to ask for more budget or fight other IT infrastructure priorities. They keep doing the same things – even though it is not working. As you might expect, they struggle to get a different result or change security culture.
This group may offer “death by PowerPoint,” outdated materials, boring content or teach the same things over again. While security videos can sometimes be helpful and a positive step away from stale materials, watching annual videos is usually not the right answer. Employees learn best with interactive content that is frequent, engaging and personalized. Also, a good program contains multiple channels of communication and a variety of live reminders (like group workshops or brown-bag lunches).
Internal Phishing Exercises Debated
Many organizations are going further by performing tests on their employees and sending home-grown phish that tempt to see if employees will click. This “phish your own staff” technique can be effective in lowering the overall click rates. This approach is also a popular way to get security metrics, because it is easy to know how many people click when the email is coming from your own security team.
Taking this further, a growing trend is using “just in time” training for those who “fail” and click on an internally generated phishing link. Some organizations force staff to go off to a cognitive behavioral therapy course if they fall for the test phish.
However, other orgs say "no" to internal phishing campaigns, because they feel it creates an atmosphere that lowers trust for the security team or management. This internal phishing process can instill fear and certainly gets attention. However, if not administered properly and with care, this process can become only a penalty that shows up on your performance appraisal as a "demerit" for doing the wrong thing.
Sadly some organizations that phish their own staff still do a poor job of security awareness training with their employees. They fail to show staff, in detail, what they should and should not be doing regarding phishing and other online security topics from mobile devices to cloud computing to creating (and changing and not sharing) passwords.Read more: In omen for DDoS-hit Australia, new reflection attacks leverage third-party services
Security Awareness Leaders
What are some of the leading groups doing? Here are four more tips to help combat our serious phishing challenges.
1) Provide effective, attractive security awareness training. Security awareness training regarding phishing can be fun. Make it brief, frequent and focused. Teach staff practical things about phishing campaigns they don’t already know, and let them practice with real examples that are meaningful.
Use gamification techniques. Challenge and support staff to do better and build a phish-aware culture by encouraging the right behaviors for home and work. Tying in family is a great way to get employee attention. Make your security awareness an enabler of “ambassadors for good.”
For state and local governments, use posters, calendars and other materials available via the MS-ISAC toolkits. These free items are very helpful for Cybersecurity Awareness Month which began on October 1. Also, Staysafeonline.org is a great resource for ideas.
“Effective, engaging, end user training is essential, and not just for stopping employees from clicking on malicious links or giving away sensitive access or information. Well-trained employees who know what to do and how to do it will help identify issues on the front lines and be the best cyber defense overall.
In addition, security incidents not only happen because of phishing. We can get lulled into believing that preventing phishing is everything, but there are significant risks associated with the Cloud, BYOD, and lost devices, as well as other new technologies always are on the horizon. Social media access at work is also making the problem more complicated and the problem is growing.”
2) Encourage reporting of phish. Do your employees know what to do when they receive a phish (in any form)? Not clicking or deleting is certainly better than clicking, but reporting is also essential. You want honesty when employees do click, so you can respond quickly and effectively. (This is why hiding clicks can be a problem.)
Create an email box like: firstname.lastname@example.org or email@example.com. Have you trained cyber teams to review these emails real-time to ensure that dangerous phish are deleted from all internal email mailboxes and let others know?
When I was the Michigan CSO, we built just such an email box, and the number of incoming messages from staff grew by almost 100x after we rolled out good phishing awareness training to all staff. (This incident was after we already filtered out 95 percent of incoming emails to the state as spam or malware.)
On one occasion, a particularly nasty phish, with destructive malware downloads if you clicked, was forwarded to our team by an employee on a weekend. Our normal process deleted that email from thousands of staff email boxes and prevented an expensive and time-consuming major cyber incident. That one phish incident response action saved the state more than $50K in documented recovery costs.
3) Ensure that phishing is about more than just email. Does your staff understand that phishing can come from a telephone call or a text message? As discussed earlier, the person sitting next to them can even “phish” for your password.
For example, a few months ago, I got a call informing me that I had “won a free cruise for my family.” I played along as the caller went through a tempting checklist of options and “free extras.” About 10-minutes into the call, the person wanted my credit card number for “processing charges.” I refused, and let him know that I had no idea who he really was.
Similar techniques are used to pretend to be “Microsoft support” or a fake help desk calls. Bad guys use clever techniques to disguise their true motives. Do you train for such things at home and work?
4) Develop a good cyber incident response plan. What does your cyber team do when a phish is discovered and security incident response is needed? Is a cyber incident response plan in place?
NIST offers this incident handling guide for security incidents. You can report phishing scams to the US-CERT here. The anti-phishing working group (APWG) also has ideas, guidelines and helpful reporting tools to use.
For more information, I offer more security awareness do’s and don’ts in this blog – from back in 2014 when I was the Michigan CSO.
It’s an ongoing challenge, but don’t take the bait.
Note: An earlier version of this article published on Government Technology.
About Dan Lohrmann
Dan Lohrmann is an internationally recognized cybersecurity leader, technologist and author. Lohrmann joined Security Mentor, Inc. in August, 2014, and he currently serves as the Chief Security Officer (CSO) and Chief Strategist for this award-winning security awareness training company. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. You can follow Lohrmann on Twitter at @govcso