One of the most important steps for improving security is to understand where you’re starting from first. That covers technical questions like what systems you run or where you store data. Then there’s the all-important human factor: how much do the organisation’s people know about security risks like phishing and malware?
Research repeatedly tells us attackers still rely heavily on phishing. The 2017 Verizon Data Breach Investigation Report found that malicious email attachments caused 66 per cent of malware infections linked to data breaches or ransomware. The same report showed that phishing affects many industries, from manufacturing and retail to healthcare and accommodation.
Just last week, the Associated Press reported that the Fancy Bear hacking group targeted at least 87 contractors working on high-tech projects – many of them classified – for the U.S. defence forces. The AP said up to 40 per cent of victims clicked on spear phishing emails. Attackers targeted them via personal Gmail accounts or corporate email addresses.
Clearly, there’s value to having staff trained to spot potential phishing attempts because it reduces their risk of a malware infection, or worse. Last summer, while attackers targeted energy companies around Europe, Ireland’s Electricity Supply Board received spear phishing emails. The ESB avoided any incident because an eagle-eyed engineer recognised the attempt for what it was and reported it.
Establishing a baseline
Awareness training often starts with a simulated phishing attack, because this establishes the organisation’s levels of security understanding at that point in time. Best practice is to follow this exercise with an awareness programme. The next time the organisation runs a simulated phishing test, the percentage of staff who open these emails usually decreases. And so on over time.
Security professionals can then use this information to identify specific training that a particular group of employees might need. It also helps when calculating the benefit of future investments. If senior management needs to approve spending, then data about current awareness levels will strengthen the case.
At BH Consulting, we find the most useful methods for phishing awareness involve combining different types of campaigns, just as genuine attackers would. Real-world phishing campaigns often vary their tactics. Some are designed to obtain user passwords, to compromise other accounts, or to trigger a malware infection.
Avoiding the blame game
In February, the UK National Cyber Security Centre published new guidance on phishing that is full of helpful advice. The NCSC warns, rightly, that focusing excessively on users’ role in foiling phishing attacks can potentially cause a organisational harm. “It opens the door to a ‘blame culture’, and the establishment of punishments and sanctions for users who ‘fail’ at spotting phishes,” the agency said.
That’s why it’s worth thinking about how you promote and encourage positive security behaviour. Accurate or not, some security professionals think of humans as ‘the weakest link’. At BH Consulting, we find it’s more helpful when an organisation sees its people not as weak points to be mitigated but as a vital first line of defence. Phishing awareness training goes a long way to changing that approach.