To combat phishing, you must change your approach

Kevin O’Brien, CEO of GreatHorn, discusses why employee training isn't effective in combatting phishing and what companies should do instead.

Does the training provided to our colleagues, commonly called “whack-a-mole,” actually make a difference?

Maybe a better question is why are we still relying on training tired and stressed people on a complex topic instead of searching for a technical solution?

I recently talked with Kevin O’Brien (LinkedIn, Twitter), who has over 20 years' experience in the Boston cybersecurity scene. He was an early member of the @stake team (now Symantec), Cloudlock (acquired by Cisco for $300 million), and Conjur (acquired by CyberArk), O'Brien is now co-founder and CEO of GreatHorn, which provides next-generation anti-phishing and email security solutions to Fortune 500 companies.

We’ve shared a number of conversations over the last year. I’m impressed by his experience and grasp of the challenge. We talked about how we can do better. The highlights of our conversation are below:

Why is providing training to combat phishing a failing strategy?

Providing employees with security training can do only so much. In the last couple of months, we’ve seen a number of massive data breaches that started with a simple email failure.

For example, take the DocuSign breach earlier this year: Emails from “dse@docus.com” began arriving in inboxes, claiming to be either a document that had been completed or one that was awaiting a final signature. These messages looked strikingly close to real DocuSign emails — they were so convincing that millions of users were tricked into clicking on the phishing link in the email. It’s likely that many of the people who clicked had received security awareness training of some kind, but despite their best efforts, the training failed and they became victims.

In addition to the DocuSign breach, criminal hackers were recently successful in fooling a number of top White House officials and other government workers with impersonation attacks. Given the nature of their work, all of the victims had previously received cybersecurity awareness training. That the attackers were able to trick some of the highest-profile targets in the United States further proves that people are overwhelming susceptible to highly targeted deception-based attacks. 

Preemptively “phishing” your own employees with simulated attack emails and educating those who click on links with a training video is an outdated approach that doesn’t meaningfully increase cyber resilience. Instead, it positions the IT security team as an agitator and source of humiliation for some employees.

Why is phishing so prevalent and hard to protect against?

I look at it this way: Email is still the single most effective and commonplace way of reaching someone in the business world. Today’s complex ecosystem of email endpoints — spanning both company- and employee-owned tablets, phones, work laptops, home computers and phones — means email access is ubiquitous, and people are addicted to constantly refreshing and checking for updates 24 hours a day, seven days a week.

Employees are likely checking email every waking hour — if not more — and the intense cognitive load this places on them can preclude them from deep thoughtful reflection before taking action on and/or responding to mail. When stressed-out, overwhelmed people with emails all over the place try to make complex decisions on a continuous basis, it’s inevitable that mistakes will happen. We're only human, after all.

And this is just the typical employee. What about your security team? Security professionals are already hammered. You can’t possibly hire people to monitor and analyze all corporate email — it’s just unsustainable. We did a study recently where we broke down the scope of the problem: on average, .02 percent of all inbound email contains threat characteristics of phishing. If you’re an enterprise organization with 50,000 employees on staff, that results in almost 4,000 potential threats per week. Assuming an estimated five minutes of review time per email, you’ll need eight infosec employees working full-time, 24 hours a day to process this information. Or you could hire 16 people with $125k salaries each — which then makes handling email a multimillion-dollar problem.

Why do you suggest we have to change the compliance story?

Right now, cybersecurity and compliance do not smoothly coincide. In cybersecurity, the biggest compliance concern is typically centered around “not going to jail.” If your company is ever breached, you’ll have to show investigators what kind of protections you put in place to guard customer data. If you can show you were aware email was a problem and that you invested in security training for employees, then investigators can check those boxes. Meeting compliance doesn’t solve our cybersecurity problems — but for a CSO who is focused on risk reduction, it mitigates blame from the board.

What do we need to ask and think about if we want to get better security results?

We need to strip away all the buzzwords and ask this question to get better results: How do we create force multipliers in cybersecurity? The answer is automation. The threat surface is growing, and cybercriminals are becoming more sophisticated. They’re utilizing threat tactics that have made it increasingly difficult for organizations to protect themselves at scale. Cyber criminals are putting pressure on businesses by increasing the volume of these kinds of targeted attacks, dramatically outpacing even the world’s largest security teams’ ability to keep up.

Visibility is sadly lacking within most of today’s organizations, and it’s unrealistic for security teams to secure something they can’t see. There’s no tool or widget that can totally fix this and make everything safe. But we can get to a point where we have the ability to construct a security program that reduces risk in a demonstrable way. We can establish metrics for where your risk profile is today.

Through the use of automation tools, security leaders can help their teams more efficiently manage the overwhelming number of alerts and potential vulnerabilities they face on a daily basis. Programmatically remediating low-level threats enables staff to prioritize investigation of critical threats that require human judgement.

What do security leaders need to do to start this journey?

The essential first step here is one of recognition: Good employees acting upon good intentions can make poor decisions about security. This is true no matter how well trained they are. Social status, time constraints and urgency increase psychological pressure to respond to seemingly legitimate requests for which training users is insufficient.

Often, the challenge for security is that of time. Given infinite resources, all attacks are addressable. The reality of inbound threat exceeds capacity for most enterprises. Accordingly, security leaders need to use technology to ease the burden on IT teams while also looking for ways to further reduce risk for employees. Security leaders should look through their cybersecurity policies closely to see if there are areas that are either overly manual (i.e. reviewing all emails with threat characteristics) or take up a lot of time with little value to the overall business.

Read more:

SUBSCRIBE! Get the best of CSO delivered to your email inbox.