Sponsored Ask anyone in IT what it is that keeps them awake at night and most will probably reply “security”. Drill down into what specifically worries them and you’ll probably discover that it’s not the technology part but, rather, how to get the workforce to take security more seriously.
Proofpoint’s recently published State of The Phish report reveals that 90 per cent of organisations experienced some sort of phishing attack in 2019, with 88 per cent the target of spear phishing attacks and 86 per cent dealing with business email compromise (BEC) attacks.
The latest Phishing Activity Trends Report from the Anti-Phishing Working Group showed 162,155 phishing sites detected in Q4, a 17 per cent rise year on year.
There’s been a corresponding change in the nature of the attacks, too. Attacks today are for monetary gain: the APWG report found criminals demanded gift cards in 52 per cent of BEC attacks, along with payroll diversion (16 per cent) and direct bank transfers (22 per cent). How much are we talking? BEC cost businesses $1.7bn in 2019 in the US alone, according to the latest Internet Crime report by the FBI.
Back to the opening point. You can attempt to head all this off using software and you can filter out phishing emails and attempt to stop users going to malicious websites, but for all that it still only takes one email to get through and for one person to click on that email for your business to be compromised. A third of users who open simulated phishing emails are apt to interact with them, thereby exposing your data, applications and network according to Proofpoint.
What’s the answer? A system of multi-layered defence that encompasses technology, process and people. Adopting these in isolation won’t reduce your chances of successful attack by cybercriminals. Adenike Cosgrove, Proofpoint cybersecurity strategist, says given the vast landscape to police and the fact security pros are already stretched, you must create a culture of security that makes everybody responsible for tackling phishing. “To give the recommendation to a security team to look at everything, is almost impossible,” she says. “That’s why we say you need to look at your attack surface from a people-centric point of view and figure out who cybercriminals would target in your business and why.”
Building this culture requires training and that training should make employees understand the threats they face and how to avoid falling victim. It should also focus on those who hold the crucial information the scammers are likely to want – known as Very Attacked People (VAPs).
Who are VAPs? Individuals within the C-Suite yes, but not exclusively: Proofpoint discovered workers outside of this elect band can also be targeted if they have responsibilities that give them access to sensitive documents, key data and systems or other resources designated desirable. VAPs therefore must be prioritised for training, with additional attention given to checking their accounts for potential compromise, but they are not the only ones you should train.
Back to school
The training you embark upon must break existing habits and teach a set of new skills to be effective. Such training, therefore, needs to be a comprehensive, regular and interactive process; it cannot be conducted using “passive” methods, like sending out emails and documents on policy.
It must also be applied to all employees not just VAPs – only to differing degrees. Cosgrove says: “Cybersecurity best practices need to be applied daily to make a difference. Employees cannot learn how to do that if cybersecurity education is discussed just once a year.”
The problem training must address is employees do not consider themselves responsible for detecting and avoiding phishing. Also, as the State of The Phish report shows, they are often ignorant of the types of threats. Just 61 per cent correctly identified a phishing attack while half that could correctly identify ransomware. The best way to get people to understand the threats is to show them what the threats look like, and to train them using phishing simulation campaigns that are tailored to their user profile.
”You can’t change behaviour if you don’t know what the risk is,” Cosgrove says. “Security professionals are doing a great job of blocking nefarious emails from reaching users, but they are not making users aware of what is targeting them.”
This is where something like Proofpoint’s Security Awareness Training can help. It includes an Anti-Phishing Training Suite that combines customisable simulations, interactive training modules and business intelligence tools, and allows you to “attack” your own employees with threats based on real phishing emails. You can test three types of lures – malicious links, dangerous attachments and requests for sensitive data. The point here is you are in control of training: you have the flexibility to explore the effectiveness of – and employees’ susceptibility to – different lures and types of attack.
Of course, staff may respond differently and Proofpoint recommends adopting a mix of assessment and training. This might involve delivering a brief message with some tips at the conclusion of an exercise when a user might feel embarrassed, scared or even irritated or angry by a test, followed by a formal assignment a little later when they might be more receptive. Another approach is to use on-demand, computer-based training as this allows staff to engage when perhaps they feel more comfortable and prepared.
The advice is to make this all part of a well-supported program. “If I’m a major target for credential phishing, and I take a course on credential phishing and I don’t pass the test, then I’m going to keep receiving the training,” Cosgrove says. “However, that’s also supplemented with scenario-based training so that I can try to train my brain to understand the threats and can change my behaviour.”
This model lets you move beyond that standard, passive approach of sharing a policy via email or documents with an engagement-based methodology that features a feedback loop. It is the best way for staff to break past habits and to foster the development of the new cybersecurity skills you need.
How effective is this approach? Royal Bank of Scotland (RBS) had experienced a steady increase in attacks and malware entering their system so therefore elected to train staff using Proofpoint for regular, ongoing phishing assessments using email templates that emulated actual phishing lures. RBS has reduced its overall susceptibility to phishing by more than 78 per cent as a result while, in the first two months of engagement, click rates fell from 47 per cent to 22 per cent and now hover at around seven to nine per cent.
There are of, course, some hurdles in the way to getting the kind of training you need to create the new culture of security. Building the culture isn’t purely an internal thing and you must consider those outside of the business. Most organisations work with an array of external agencies, contractors and suppliers who may have access to your data and systems. Such people can be especially vulnerable to BEC attacks from attackers posing as your employees. They should, therefore, also be included in any training and cyber awareness program.
Finally, you need buy-in from the fabled C-suite – a powerful group of individuals who can sanction the training and also help reinforce it by driving home the need for vigilance among staff. A tried and tested technique to get your C-suite on board is to show them the effect a cyber-attack can have on the bottom line and talk about risk exposure.
Culture can be a difficult thing to quantify in general but when it comes to cybersecurity in the modern enterprise, a collectively shared sense of responsibility is the only way to succeed. The foundations of that culture are people and turning them into assets in the war against cyber criminals rather than – at best – neutral observers and – at worst – victims takes robust and practical training.
Sponsored by Proofpoint.