Here we go again. On July 26, Sen. Claire McCaskill, D-Mo., said that Russians unsuccessfully tried to hack her Senate computer network.
McCaskill said the phishing attempt was similar to the one used successfully against John Podesta, Hillary Clinton's campaign chairman in the 2016 presidential election. In an indictment on July 13 by special counsel Robert S. Mueller III, several Russian government hackers were accused of sending emails that tricked Podesta and other Clinton staffers into clicking on links that enabled the attackers to obtain the victims’ login and password credentials.
Nearly three-quarters of phishing, malware, and ransomware attacks enter through email, according to a SANS Institute study. Many are phishing attacks in which seemingly legitimate messages fool victims into clicking on links or attachments that begin downloading malicious software and give the nefarious actors access to confidential information or disable the network entirely. In others, an attacker gains access to an email account and impersonates the owner to target employees who are in a position to share sensitive data or initiate wire transfers.
Organizations are nearly three times more likely to suffer a breach through these social attacks than via actual network vulnerabilities, according to Verizon's 2018 Data Breach Investigation Report.
The approaching midterm elections bring new attention to the need for campaign staffers and election officials around the country to be vigilant against these sneaky attacks. However, the hacking-by-email threat is significant for every government agency every day.
At a January conference of the Armed Forces Communications and Electronics Association, David Bennett, director of operations for the Defense Information Systems Agency, said 13 billion questionable messages flood Pentagon email inboxes every year before they are automatically scanned and deleted.
Most other government agencies also are aware of the threat and have deployed email security technologies to protect themselves. However, a major weakness remains: the human factor.
Thanks to growing cybersecurity awareness, 78% of people never click on a phishing attempt, according to the Verizon study. However, 4% can be expected to do so. Since a criminal needs success with only one victim to penetrate a network, that's a troubling number, and it makes employee behavior the clear top risk to email security.
A 2018 survey by my company and Dimensional Research of 630 email security pros around the world showed that poor employee behavior is a much greater cause for concern than whether organizations have the right defensive tools in place. Poor employee behavior was the top concern in the survey at 84%; inadequate tools came in at 16%.
There's also growing concern today that while email remains the primary vector through which malware gets delivered inside organizations, the threat appears to be moving toward collaboration platforms such as Slack or services such as Google Drive that allow for the sharing of files that previously would have been attached to an email or SMS.
And yet, while everyone thinks employee training is important, only 77% of the respondents to our survey have training programs in place at their organizations.
That's madness. It's time to reimagine employee training with fresh, more aggressive approaches that better treat email security as a fundamentally human problem rather than a technical one. Here are four ways in which such a program can be strengthened.
Highly personalized: The email security training programs at many organizations today, if they exist at all, are often generic and rote — say a fairly brief, one-size-fits-all online course administered by the HR department. Instead, programs should be customized to each employee's role, with content geared toward the individual's area of the business. For example, someone with financial responsibilities may have a target on their back for phishing scams in which a hacker poses as a legitimate individual and asks for payment. Training for everyone in such a role should specifically address this type of threat.
More personalization can go a long way toward educating each and every employee.
Carrots, not just sticks: It’s too easy for email security programs to be all about punishing or embarrassing those who fall prey to a scam. There's no reward for good behavior. Employees who, for example, proactively report suspicious correspondence to IT should be recognized in some way, whether in a complimentary memo to all staff or even a material award like a gift card.
Email security programs need to find ways to recognize those who didn't click on a malicious link. Positive reinforcement can be very effective.
Beyond classroom-style training: Stronger tactics are needed than routine, classroom-style courses (whether in person or online). More substantive training using real-world scenarios can be a powerful tool.
For example, agencies could stage a fire drill by having "white hat" specialists hack into the network and stage a simulated attack. In another drill, the account of a recognized senior official could be used to replicate an account takeover attack and gauge how workers respond.
These kinds of in-your-face approaches can help organizations and their employees learn more about their ability to fend off email-borne attacks than they would sitting in a classroom.
More accountability: Department and office-level leaders, not just the central HR or security team, should be held accountable for results of the email security training program. This helps instill a culture of "everyone owns email security" across the organization and also supports the notion that the programs should be tailored to each specific area of the business.
By following these four steps, government agencies and others can better meet the email security threat head-on.
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.