#417 – DO THIS TO WIN THE PHISHING WARS – PATRICK OW

The Security in Depth’s 2023 State of Cyber Security research project, which surveyed over 3,800 individuals, found a whopping 99% claimed they could identify a phishing attack.

What is of concern is 46% of them have clicked on a link they shouldn’t have in the last 12 months!

(Regardless of the actual percentages, these are very high numbers that warrant our attention.)

While people are more self-aware of phishing attacks, they still consciously click on those nasty links that will open the door for cybersecurity vulnerabilities and attacks.

The human element continues to drive breaches. About 91.5% of cyber-attacks are caused by human error according to the published data from Verizon Data Breaches Investigations Report, Stanford University, IBM, Varnois, Forbes, TechXplore, TheHackernews, Cybernews, Infosecurity-Magazine, ChiefExecutive.

The recent Future of Cyber 2023 report by Deloitte identified that 95% of cyber events are caused by human error.

What is more concerning is that insider attacks such as fraud, sabotage, and data theft plague nearly three-quarters (71%) of U.S. businesses, according to Capterra’s 2023 Insider Threats Survey. These schemes can cost companies hundreds of thousands of dollars and many businesses (79%) say they take longer to uncover than external threats.

Clearly, the human element leaves a lot to be desired when it comes to information security. Even when a breach is not directly caused by a person, the information systems were still built by people.

To win the cybersecurity war, we need to change the behaviour of humans, and that is quite an undertaking.

The message is simple – If an email seems fishy, don’t click on the link.

If an email seems fishy, or you know it is fishy and you still click on the link for whatever reason, then we cannot rely on humans as cybersecurity control. We need to technologically engineer in-built solutions to fight the cybersecurity war.

Cyber awareness training has lost its effectiveness

Cyber awareness training is a type of training that is designed to educate individuals and organisations on the risks and threats associated with using technology and the Internet.

The goal of cyber awareness training is to help individuals understand how to protect themselves and their information from cyber-attacks and to promote safe and responsible behaviour online.

Cyber awareness training can cover a wide range of topics, including:

  • Phishing – How to identify and avoid phishing emails and other social engineering attacks.
  • Password Security – Best practices for creating and managing secure passwords.
  • Data Privacy – How to protect sensitive data and personal information online.
  • Mobile Security – How to protect mobile devices from cyber threats.
  • Social Media Security – How to protect personal and business information on social media.
  • Malware – How to recognise and protect against malware and other types of malicious software.

These training have been projected as an important component of any cybersecurity program.

But not anymore.

Security in Depth’s results has shown us that people are the weakest link in the cybersecurity war.

Greed is good, especially for the cyber attackers

Humans are often considered the weakest link in cyber warfare because we are susceptible to social engineering attacks. Cyber attackers use a variety of tactics to exploit human vulnerabilities, including fear, curiosity, and greed, to trick people into clicking on malicious links or sharing sensitive information.

Phishing attacks can be highly targeted and tailored to the recipient’s interests, location, or job position, triggering an emotional response that will benefit the attackers.

This can make the email seem more credible and increase the likelihood that the recipient will fall for the scam.

The cyberattack pathway

A data breach is the outcome of a planned cyberattack. These events are caused by an external party forcing their way through an IT boundary and into sensitive network resources, usually by exploiting security vulnerabilities.

The five phases of the cyberattack pathway, also known as the “cyber kill chain,” are as follows:

  • Reconnaissance – In this phase, the attacker gathers information about the target, such as IP addresses, email addresses, and other identifying information.
  • Weaponisation – In this phase, the attacker creates a weapon or exploit that will be used to compromise the target’s systems, such as malware, viruses, or phishing emails.
  • Delivery – In this phase, the attacker delivers the weapon or exploit to the target. This can be done through email, social engineering, or other means.
  • Exploitation – In this phase, the weapon or exploit is used to gain access to the target’s systems and data.
  • Installation – In this phase, the attacker installs backdoors, keyloggers, or other tools that will allow them to maintain access to the target’s systems and data.

These phases are not always linear, and an attacker may revisit previous phases as needed to achieve their goals. The cyber kill chain model is useful for understanding how attackers operate and for developing strategies to defend against cyber-attacks. By understanding the different phases of the attack pathway, organisations can implement security measures and policies to prevent or mitigate attacks at each stage.

By clicking on a malicious link in an email, we have just opened the pathway for a cyberattack.

Automate the security of your email system; don’t trust humans

There are several steps you can take to improve the security of your email system apart from using encryption, implementing strong password policies, and limiting access to sensitive information:

  • Use continuously updated anti-virus and anti-malware software – Use anti-virus and anti-malware software to scan incoming and outgoing emails for viruses and other malicious software and attempts to remove them.
  • Use continuously updated anti-phishing software – Install anti-phishing software on your computer or mobile device to help detect and prevent phishing attacks. Anti-phishing software attempts to identify phishing content contained in e-mails and tries to block the content, usually with a warning to the user (and often an option to view the content regardless).
  • Implement effective DMARC, SPF, and DKIM solutions – Use technologies such as Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) to prevent email spoofing and protect against phishing attacks. DMARC is an email authentication protocol that is designed to give email domain owners the ability to protect their domain from unauthorised use (e.g., email spoofing). DKIM is a protocol that allows an organisation to take responsibility for transmitting a message by signing it in a way that mailbox providers can verify. SPF determines whether a sender is permitted to send on behalf of a domain.
  • Monitor email traffic – Regularly monitor email traffic for suspicious activity and use intrusion detection and prevention systems to detect and prevent attacks.
  • Use a secure email gateway – Use a secure email gateway to help prevent spam and another unwanted email from entering your system.

Conduct regular phishing tests and sanction or terminate repeat offenders (even the CEO!)

Sanctions are intended to deter individuals, including executives, from engaging in reckless behaviours that are unacceptable (i.e., putting the whole organisation at risk) and to promote strict compliance with policies.

Send a very clear message – Consciously clicking on links contained in a known phishing email is gross misconduct, a breach of confidentiality, and a breach of personal safety rules (especially when personal information is compromised). The impact is huge.

Such reckless actions strictly contravene organisational rules and must attract the termination of employment – there is no other way to send this message and promote compliance.

Warning letters must be officially issued to repeat offenders, even if they are executives or CEO.

The soft rules are gone if we want to win the cybersecurity war. It is time to implement the hard rules (i.e., termination of employment) to avoid further escalation of cybersecurity threats and attacks.

By taking these hard people measures, you can help protect yourself and your organisation from phishing and cyberattacks. We cannot solely rely on technology to protect the organisation.

Remember that prevention is key. Terminating employees who knowingly clicked on a link they shouldn’t have is the only best defence against cyber threats. It sends a clear message of non-tolerance for reckless behaviours and actions.

Professional bio

As a Chartered Accountant with over 25 years of international risk management and corporate governance experience in the private, not-for-profit, and public sectors, Patrick helps individuals and organizations make better decisions to achieve better results as a corporate and personal trainer and coach at Practicalrisktraining.com.

Patrick has authored several eBooks including Strategic Risk Management Reimagined: How to Improve Performance and Strategy Execution

Leave a Reply

Your email address will not be published. Required fields are marked *