Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

3/14/2018
10:30 AM
Jo-Ann Smith
Jo-Ann Smith
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

A Secure Enterprise Starts with a Cyber-Aware Staff

An attack doesn't have to be super high-tech to cause a lot of damage. Make sure your employees know how to spot an old-fashioned phishing campaign.

NotPetya. BadRabbit. Locky. New forms of ransomware may dominate the headlines and make victims WannaCry, but the majority of cyberattacks result from elementary tactics, such as phishing attacks. A recent Google study even found phishing attacks allow criminals to break into a victim's account more efficiently than they would with a data breach.

Phishing is a form of social engineering that uses email to steal sensitive user info, such as login credentials or access to customer data. Typically, an attacker poses as a trusted coworker or client — creating an email address with just one missing character, for example — and then dupes the victim into opening an attachment or clicking a malicious link, which can lead to malware installation or identity theft. In this day and age, we all check email on the go while switching between various devices, so most of us don't think twice about opening an attachment from someone we think we know. The bottom line: phishing is not overly sophisticated, but it is tricky enough to be effective.

According to the Ponemon Institute, phishing campaigns can cost the average U.S. company $3.77 million a year. In 2017 alone, several damaging phishing attacks showed us that we can all be fooled into opening the wrong thing at the wrong time. For example, a cybercriminal group sent "malware laden" emails to Chipotle staff, compromising point-of-sale systems at many locations and stealing customer credit card data from millions of people in the process. Google and Facebook were out $100 million each when an attacker used a phishing email to trick employees into wiring money overseas. And a spear-fishing scam that sent phony information requests to employees for "tax purposes" compromised more than 120,000 people at more than 100 organizations.

These examples only scratch the surface of the number of attacks I've seen throughout my 20-year career in information security. No matter how sophisticated attacks get over time, however, I still consider internal phishing testing one of the best ways to teach employees to be more cyber-resilient.

Different Audiences
Phishing testing allows you to assume the role of the attacker and target different audiences at your company to see who takes the bait. From there, you can establish a baseline measurement of employee susceptibility to cyberattacks and provide one-on-one education training to those who continue to get duped by the tests. The point isn't to call out anyone or embarrass employees for dropping the ball, but rather to help them learn along the way by stimulating personal security awareness. If they fall for your faux-phishing test, you can bet they'll be a liability when the real thing comes along.

In my current role at endpoint security firm Absolute, I've only introduced phishing testing exercises in the past year, but they've already paid off. A whaling attempt — that is, a phishing attempt aimed specifically at a high-ranking employee — recently targeted an executive at the company, and our internal training helped him recognize the attack and report it to our IT team right away. He attributed this to the phishing exercises and the internal training we've completed.

When developing the phishing test scenario, it's important to keep the fake email realistic enough to provide a teachable moment, yet not so appealing that it would fool even the cybersecurity nerd who's always chatting about the latest ransomware at the water cooler. In one of my previous roles, I sent out a phishing email that rewarded employees with gift cards to a coffee shop in our building as part of a made-up company celebration. Not only did a whopping 78% of our employees blindly click on it for a caffeine fix, but the coffee chain also honored the gift cards, with my company having to pay them back! After that experience, I think less about outsmarting employees when building a phishing test and more about re-creating a normal, unremarkable scenario that people will come across on a regular basis to provide a teachable lesson that will stick with them.

Today's security training programs should reflect the sophistication of modern-day attacks, but we also can't forget about the basics. Conducting interactive security trainings throughout the year keeps employees on their toes and allows enterprises to spot trends and track processes over time. Your employees won't remember a snooze-worthy PowerPoint presentation from two years ago, but they may think twice about opening a sketchy attachment after falling for a faux phishing attack.

Related Content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jo-Ann Smith is an IT security professional who has worked in information technology as both an employee and a consultant for more than 20 years. She currently serves as the Director of Technology Risk Management and Data Privacy at Absolute. Jo-Ann is responsible for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7759
PUBLISHED: 2020-10-30
The package pimcore/pimcore from 6.7.2 and before 6.8.3 are vulnerable to SQL Injection in data classification functionality in ClassificationstoreController. This can be exploited by sending a specifically-crafted input in the relationIds parameter as demonstrated by the following request: http://v...
CVE-2020-7760
PUBLISHED: 2020-10-30
This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vu...
CVE-2020-27014
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains a race condition vulnerability in the Web Threat Protection Blocklist component, that if exploited, could allow an attacker to case a kernel panic or crash. An attacker must first obtain the ability to execute high-privileged code on the targ...
CVE-2020-27015
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains an Error Message Information Disclosure vulnerability that if exploited, could allow kernel pointers and debug messages to leak to userland. An attacker must first obtain the ability to execute high-privi...
CVE-2020-27885
PUBLISHED: 2020-10-29
Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s pass...