Three Ways to Help Your Company Combat Common Security Mistakes
The first "recorded" phishing attack occurred in 1995, and while the methods and level of sophistication have evolved, we still face many of the same challenges with phishing today. The reason phishing continues to be a scheme we see used is because the math is simple. There are hundreds of email services and multiple accounts per user, and over time, the probability that a user will click on something malicious that lands in their inbox, explodes exponentially. The individuals leveraging phishing schemes know that the craftier the message, the more tantalizing it becomes to open. So of course, if something looks like an official email from HR. Why not click? And who can resist a 70 percent off coupon?
Reading the latest breach reports tells us that phishing is often how the first attacker enters a breached system. As a result, we've begun to rely on technical controls (email filtering, phishing tests, URL rewrites, sandboxes, etc.) to prevent phishing attacks. While our technical controls get stronger every year and manage to stop a large portion of phishing attacks, we know that many can still slip through and land in a user's inbox.
While we don't want to abandon these controls and technologies, we know more is needed. My grandfather used to tell me if you want to fix a problem, go to the source. If we can't get to the source of the phishing email,why not target the source of the ill-fated click? Let's face it: Our user community is only trying to do their job, and ultimately, help our business grow. It's up to us to teach our users what they need to know to keep themselves and really, the entire company safe.
How Do We Do This?
Anyone who has children knows there is a stage in their lives when it seems the only word they know is "Why?" So, let's start there: Why should our users care about phishing attacks? Why should they take the time to read each email that comes into their inbox carefully? Why should they scrutinize every link before they click? And why should they remember the old rule that if it looks too good to be true, it probably isn’t?
keep themselves and really, the entire company safe
We can answer these “Whys” for our user community and help them understand by sharing our knowledge and recent learnings, including details from breach reports. But ultimately, we need them to widen their focus. It's all about shared responsibility and building a security culture throughout the company.
Putting it into Practice
From a tactical,top-down level, one thing we have found effective to combat phishing is grabbing five minutes on a regular basis at senior leaders’ team meetings. In this setting, we can share our insights from breach reports and drive home our focus on email vigilance. Sharing real examples such as" Were you aware that 81 percent of the breaches investigated started with a user clicking on a phishing email?" can be effective in driving focus and change. No one wants themselves or someone on their team to be the source of why a breach occurred, so educating leaders at this level helps them champion the message throughout the team structure.
At an individual user level, we routinely conduct phishing tests (weekly, monthly, quarterly) using deceptively crafted emails to try to intentionally trip people up. Those who fail,are then asked to watch a training video to help better identify phishing attempts in the future.
And at a firm wide level, we've started issuing an old-fashioned school report card (remember those?) showing each team's grade for detecting phishing and creating a little bit of friendly competition amongst colleagues. As soon as these grades became public, managers, leaders, and end-users took notice and began to address the issue. Leave it to a bit of healthy rivalry to raise awareness and a sense of shared responsibility!
While none of these are perfect solutions or guaranteed to solve every issue, they can begin to "move the needle" to change user behavior and foster a security culture throughout the organization.