6 ways to equip your phishing tackle box

Like many of the threats in cybersecurity, using a comprehensive and business-driven approach to reveal risk can help you focus your efforts on what matters most.

poaching talent fishing lures bait catch recruit
Superoke/Getty

Cyber attackers would likely unanimously agree that using “social engineering” to exploit human vulnerabilities where software and hardware cannot limit all threats is one of the top tools of the trade.

These methods of human deception have become uncomfortably widespread.  Phishing attacks can range from basic individual financial theft (such as stealing credit card numbers) to sophisticated campaigns against organizations, companies, or people of interest.  This article will help to raise awareness of the threat landscape and introduce six common problems and solutions that can prevent you from minimizing risk for your company.

Most companies buy tools that promise to filter out a majority of nefarious email traffic and adopt “ethical phishing” programs that teach employees not to click on links or attachments.  Despite these two common investments, companies still experience significant successful attacks. Tools and phishing programs can also create false confidence that prevents leaders from adapting to change or thinking about the bigger picture.

Efforts to prevent phishing or train employees can also backfire or yield the wrong behaviors. For example, we have seen cases of individuals (occasionally leaders directing staff) nominating one person to click the link to confirm it was “a test” from the company so they can warn others.  In another real example, a senior engineer forwarded the suspected email to his personal email account and opened it (also on his company laptop) to see if it was a company test. In yet another example, a corporate email filter blocked an official notice to a violent crime victim about the early release of his attacker from prison.

From a technology standpoint, companies can find themselves somewhere between inadequate protective and detective security tooling and having so many tools that they are conflicting, partially implemented, understaffed, or forgotten about. 

Whether you work at a school, church, doctor’s office, SMB, or a Fortune 500 company, your organization should be taking a comprehensive risk-based approach to combat phishing versus playing a random game of whack-a-mole with technology or flavor-of-the month training. 

There are 6 common problems that get in the way of progress:

  1. The target is moving (and growing)
  2. Ethical phishing programs suffer from diminishing returns
  3. Excessive focus on reactive measures
  4. The traditional username/password model is fundamentally broken
  5. Personal and corporate communications are intertwined
  6. Companies lack key process controls that can prevent serious harm

Let’s unpack these challenges one at a time:

1. The target is moving (and growing)

While email phishing is currently involved in over 80% of reported breaches, attackers are noticeably changing tactics to include social media messaging (Facebook, LinkedIn, etc.) and SMS/text where most companies lack the investment in protection, they have made in their corporate email systems. Kapersky reports that 20 percent of all phishing attacks are launched on social media.

  • Key Take-away: Companies should look at all vectors of phishing and social engineering that is occurring and place a representative investment across each. Educate yourself and your workforce on the types of attacks and understand what your current controls protect against. (See “Deep Sea Phishing: A Taxonomy for Email Threats” for a deeper dive into the email threat landscape.)

2. Ethical phishing programs suffer from diminishing returns

Awareness and behavior change are fundamentally important to cyber security.  However, many organizations are fatigued by their ethical phishing programs (simulating a phishing attack and responding with remedial training if an employee does not pass). In some organizations, these programs provide 95% of the security education being provided to the workforce.

Myopic focus on not clicking links or opening attachments diminishes the employee’s broader ability to protect themselves and the company.  Moreover, as organizations start using phishing metrics in discipline or compensation decisions, employees disengage, feeling it better not to interact with a real email than risk “failing” the phishing test. Fear and shame create an annoyed and deflated organization (often angry at the security team in particular) instead of an empowered culture.

  • Key Take-away: There is a balance to strike when deploying ethical phishing programs and they must be a well-articulated component of a broader vision.

3. Excessive focus on reactive measures

Organizations react to increasing phishing attacks by upgrading the email server, adding the latest spam/malware filtering, or countless other measures that shore up technical defenses. Many companies focus exclusively on these reactive measures instead of taking a proactive, risk-based approach to define and build the right controls for the threats and business risks that exist.

With a solid understanding of business risk, multiple options emerge that could significantly reduce risk with a combination of people, process, and technology solutions.  Companies typically spend more on security tools and services after a breach or major security event than if they would have proactively when reactiveness is not a driver.

  • Key Take-away: Use a threat and risk-based framework to understand your current controls and what is needed to manage risks to an acceptable level and be fit-for-purpose for your business.

4. The traditional username/password model is fundamentally broken

The human and organizational approach to passwords must change.  One of the most damaging outcomes of phishing attacks is the exposure of passwords and other credentials (often used to pivot to more important accounts and systems beyond email). Preferably, companies should move to multi-factor authentication (such as FIDO U2F Security Keys, a method by which Google eliminated most password compromise risk through distributing Yubikeys to 50,000 employees worldwide).

In organizations with password behaviors and technical limitations that prevent full multi-factor adoption, efforts should focus on reducing the severity and impact of a password compromise.  Individuals must commit to consistent and secure account behaviors in their work and personal life starting with strong passwords.  In many cases individuals are using the SAME credentials across many accounts both personal and professional.

  • Key Take-away: Organizations should push for secure password vaults (tools like LastPass), unique strong passwords for each system that doesn’t offer single sign on, and multi-factor login options that greatly limit impact if passwords are compromised.

5. Personal and corporate communications are intertwined

The majority load personal and professional accounts onto the same device. This creates opportunity for malware and compromises in one sphere to impact the other and creates channels for unauthorized data movement that may not be secured. In one real-world case, a senior manager had both personal and corporate email loaded on his laptop. His personal email was compromised, and the malware was able to use the global contact list to email itself to thousands of suppliers and customers in addition to the entire company.

  • Key Take-away: Help your workforce get better in their security related behaviors at home and work. Promote and/or offer guidance, processes, and tools that enable both (integrating where possible with the right controls in place)!

6. Companies lack key business process controls that can prevent serious harm

Many Business Email Compromises rely on urgency and seeming importance of the sender to pressure recipients into financial transactions with the attacker. In many cases, strong processes around transaction approval, verification, and other safeguards could prevent a malicious transaction.  The W-2 scam in the US is a classic example.

In this identity and tax fraud scam, the attacker poses as the CEO or another key finance/HR leader needing access to employee W-2s. Unfortunately, they are very commonly sent to the attacker without question.  Beyond technical and human behavioral training, there are key processes in the company that should be helping individuals and departments guard their Crown Jewels.  Public Service Announcement: There are no circumstances where the CEO needs a zip file of all employee W-2’s in the next half hour.

  • Key Take-away: Ensure your company has built controls into the processes that surround your critical data and business assets. 

Phishing is a widespread problem and one without easy and instant fixes. These six challenges can help you think about what your program needs to be concerned about and the key take-aways can give you a concrete place to start.  Like many of the threats in cybersecurity, using a comprehensive and business-driven approach to reveal risk can help you focus your efforts on what matters most.

This article is published as part of the IDG Contributor Network. Want to Join?

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!