While we can’t speculate on the specifics of the Arizona voter registration hack before they are confirmed, we know that in general cyber criminals take advantage of the fact employees are conditioned to say ‘yes’ to authority figures. Without the right training, it can be difficult for employees to identify phishing emails from safe emails, particularly if they appear to come from a superior title.
Attacks can be very sophisticated, as they are no longer out-of-the-blue emails with poor grammar and terrible formatting. Cyber criminals can put significant time, in terms of days or weeks, into an attack, establishing a relationship with the targeted employee. The criminals may ask for innocent pieces of information along the way and after becoming a trusted source, persuade the targeted employee to expose sensitive data or give away their credentials.
Key points organizations must keep in mind include:
Where a phishing email is a malicious email disguised to look like a message from a legitimate source (like a bank, a package shipping service, or your HR department), a spear phishing email, as the name implies, is more targeted and includes personalized information about the recipient. A spear phishing email could be disguised to look like a message from your HR department or your boss, with specific content such as your full name, internal information, and company logos. Each of these “trust tokens” make the email appear more legit — and this, in turn, drives open and click rates.
Employees who fall victim to spear phishing attacks put entire organizations at risk. The malicious links and attachments hidden in spear phishing emails may allow criminals to plant malware in a user’s machine. From there, they can gain access to an organization’s network, other user’s computers, steal intellectual property, or just wreak havoc on the network. Even if attackers don’t end up stealing money or IP from a company, it’s not “no harm, no foul” as the full impact may come later.
There is no solution that will have you covered 100%, but training your end users through simulated phishing attacks provides them real exposure and helps them learn to identify and avoid spear phishing emails.
A user who is aware of an issue like spear phishing knows what to look for and how it can affect them. Training gives the user the opportunity to put their education into action, practice it, and demonstrate that they understand.
Like any technology asset, maintaining an active security posture is not only possible, it is essential. Regular, ongoing interactions with users create opportunities for engaging assessment and remediation activities — and our data shows that these exercises and teachable moments can reduce user-based risks, particularly those associated with phishing attacks.
The results reflected in the Managing Insider Risk through Training & Culture research shows only 35% of respondents said their senior executives have made end-user security awareness and training a priority and 60% say their employees are not knowledgeable or have no knowledge of the company’s security risks. These numbers should worry you.
Challenge the way you think of cybersecurity education. Think of it not just as a “check-the-box” activity, but also a “fill-the-bucket” activity. A once-a-year, soup-to-nuts presentation or video about all things cybersecurity allows you to check the box, but does it allow you to fill the bucket and keep it fresh? A year from now, what will the contents of that bucket be like? Think of water that would sit, untouched, for a year. Not so fresh, right? What (other than Twinkies and M&Ms) could withstand a stagnant period of that length and still be of value? Cyber security education is very similar. If you only train your employees once a year, your results will be less than stellar.
Take a different approach to employee training, delivering short, bite-sized, palatable bursts of information that can be used to nourish end users’ understanding year round. Can you check the box? Absolutely. The difference is in how you fill and refresh the bucket. Regular infusions of awareness and training keep things fresh and interesting will improve your results.
Our 2016 Beyond the Phish™ Report reveals many cybersecurity threats that are prevalent today — including oversharing on social media, unsafe use of WiFi, and company confidential data exposure — are not well-understood by end users. These activities are not only dangers in their own right, but also are contributing factors to the ever-expanding phishing problem.
Recent attacks prove there are many security exposures that originated outside of email attacks, including wireless network, software vulnerabilities, portable device safety, lack of encryption and much more. That said, organizations must keep track of all types of emerging hacks so they can educate their employees properly, making it tougher for cyber criminals to access companies’ confidential data.
Always remember forewarned is forearmed.
About Joe Ferrara
President and CEO, Wombat Security Technologies, Inc.
Joe Ferrara is the President & CEO of Wombat Security Technologies, a leading security awareness training and assessment company. Joe has provided expert commentary and has spoken at numerous information security industry events including the CISO Executive Network forum, ISSA International and regional conferences. He brings over 20 years of experience in technology marketing, operations and management to his role at Wombat. His previous roles include President, CEO and Chairman of Tollgrade Communications, CEO of Marconi Communications North America and General Manager of Ericsson’s Wireless Software & Services and Routing & Switching Divisions. Joe is also a Board Member of Voci Technologies.