We’re excited to bring Transform 2022 back in person on July 19 and pretty much July 20-28. Join AI and data leaders for insightful conversations and exciting networking opportunities. Register today!
In cybersecurity, the human condition is the most common – and easiest – target. For threat actors, exploiting their human targets is usually the lowest hanging fruit rather than developing and deploying an exploit. As a result, attackers often target an organization’s employees first, usually through phishing attacks.
Phishing is a social engineering attack in which threat actors send fraudulent messages, usually emails, that appear to come from a trusted source and give the reader a sense of topicality. The FBI’s 2021 Internet Crime Report analyzed data from 847,376 reported cybercrimes and found a sharp rise in phishing attacks, from 25,344 incidents in 2017 to 323,972 in 2021.
The Growing Sophistication of Phishing
Early email phishing attacks usually involved a poorly worded scam message to trick users into sending money to fraudulent bank accounts; they have since evolved into sophisticated, well-crafted social engineering attacks. In today’s digital world, everyone knows that phishing is bad, but trust is still a primary vector for these attacks. Threat actors investigate their targets; they look at public employee profiles and job openings, supplier relationships, and whether an organization’s HR department uses a specific type of portal to convey information. The basis for all this potential phishing is the implicit trust the employees have in the pre-existing relationship.
The commonality of these attacks does not diminish their danger. Verizon reported that phishing was the first attack vector for 80% of reported security incidents in 2020 and one of the most common vectors for ransomware, a malicious malware attack that encrypts data. Phishing was also the gateway for 22% of data breaches in 2020.
In addition to the implicit trust that it comes from a known sender, a successful phishing email drives away the reader’s emotions, creating a sense of urgency by applying for a job just enough pressure to trick an otherwise diligent user. There are several ways to apply pressure to influence otherwise reasonable employees. Fake emails that appear to come from a person in a position of authority use the influence that bosses and departments such as HR have on the reader. Social situations like reciprocity, helping a coworker maybe and consistency, paying your supplier or contractor on time to maintain a good relationship can also lead the reader to click on a link in a phishing email.
According to the Tessian Research report Psychology of Human Errors 2022, a follow-up to their 2020 report with Stanford University, 52% of people clicked on a phishing email because it appeared to come from a senior executive of the company — up from 41% in 2020. employees more prone to errors when they are fatigued, which threat actors regularly take advantage of. Tessian reported in 2021 that most phishing attacks are sent between 2pm and 6pm, the post-lunch slump when employees are most likely to be tired or distracted.
Employees may be hesitant to report the phishing incident after realizing that they acted in confidence and were fooled. They are likely to feel bad and may even fear retaliation from their organization. However, reporting the incident is the best case scenario. By allowing employees to fall victim to phishing attempts and sweep it under the rug, a cyber event can turn into a large-scale cyber incident. Instead, organizations should create a culture where cybersecurity is a shared responsibility and foster open dialogue about phishing and other cyber threats.
Cybersecurity is hard, but learning about it doesn’t have to be
Organizations that are successful in discussing cybersecurity make the subject recognizable and approachable for all employees. To enable open dialogue, organizations must employ a deep defense strategy; this is a combination of technical and non-technical controls that reduce, mitigate and respond to cybersecurity threats. Security awareness training is just one piece of the defense-in-deep puzzle. To truly build a robust security program, many different mitigation measures must be introduced into the business environment.
Annual security awareness training does not adequately address the human element exploited by phishing attacks. An example of a compelling training program is from the security awareness organization Curricula, which uses behavioral science techniques such as storytelling to make an impact on employee training. The purpose of Curricula’s narrative approach is to influence employees and enable them (or influence, borrow from threat actors) to remember and recall the information for use in real-world scenarios. Their approach has merit – one Curricula customer reported that after launching a training and phishing simulation program, they saw a 32% to 3% click-through rate among 600+ employees over six months.
When properly armed with tools, knowledge and resources, the previously distracted and disengaged employees can be your biggest line of defense: a human firewall against phishing, ransomware and malware.
To succeed, management must be involved in the process – and in the training
Part of understanding the human condition is understanding that you need the budget and tools to secure technical assets that prevent, mitigate and transfer digital risk to optimize your security culture. Organizations may feel a false sense of security when passing a security audit or certification. But as recent years have shown, digital risks are constantly evolving, and threat actors will not hesitate to take advantage of national or global tragedies to turn cybercrime into profit. Threat actors routinely target organizations for poor technology choices, ignoring factors such as industry, size, or the type of data they protect.
In addition, C-level executives are not immune to successful phishing attacks. Spearphishing or whaling attacks target specific executives of an organization. In 2017, it was announced that two technology companies, on a large scale speculated to be Google and Facebook, had been the victim of a $100 million spear-phishing attack. US attorney Joon Kim called the event a wake-up call that anyone can become a victim of phishing.
The digital economy continues to transform at a rapid pace. IDC reportedthat by 2023, 75% of organizations will have comprehensive roadmaps for implementing digital transformation, up from 27% today.
For organizations to truly thrive and survive the next phase of digital risk associated with these transformations, they must first create a strong security culture and provide employees with the tools to identify, respond to and report on phishing and other attacks. Furthermore, putting in the right tools, such as multi-factor authentication, endpoint detection and response, and even a solid cyber insurance partner, can create a layered, deep strategy. This layered defense approach helps organizations prevent a cyber event such as phishing from turning into a business-shattering cyber incident such as a data breach or ransomware attack.
Tommy Johnson is a cybersecurity engineer at Coalition.
Welcome to the VentureBeat Community!
DataDecisionMakers is where experts, including the technical people who do data work, can share data-related insights and innovation.
If you want to read about the latest ideas and up-to-date information, best practices and the future of data and data technology, join us at DataDecisionMakers.
You might even consider contributing an article yourself!
Read more from DataDecisionMakers