The Data Protection Commission’s annual reports always make for interesting reading, and the 2019 edition was no exception. Maybe it’s because BH Consulting’s work crosses into both cybersecurity and data protection, but one detail caught our eye. Phishing was one of the highest ranked causes on the list of data breach notifications by category.

The 2019 DPC report showed 6,069 valid data security breaches notified to the regulator. That was a 71 per cent increase on the total from 2018. That’s no surprise, and we can probably put a lot of that down to higher awareness levels resulting from GDPR. Once we dig into the headline number, we see that unauthorised disclosure was by far the biggest cause of breaches (5,188 of cases). Next comes lost or stolen paper documents (344 cases). Then comes phishing, which accounted for 161 cases.

We don’t need no education

Among the victims, three Irish universities suffered breaches and voluntarily notified the DPC. Maynooth University was scammed out of €28,823.40 after an employee’s email was intercepted and replaced with bogus bank details. University of Limerick notified the DPC about four breaches that happened in 2018 and another phishing breach in 2019.

University College Dublin appears in the report over seven breach notifications between September 2018 and January 2019. Email accounts across multiple university schools were compromised and were detected to be sending spam. Inquiry reports into each case are due some time this year, the DPC said.

School’s out

Why are higher education institutions such an attractive target for fraudsters? A few reasons spring to mind: between academic staff, administration and students, there’s a large, diverse audience of thousands. That’s a rich trove of personal information about a lot of people, all in one place. Universities handle large budgets, so there’s a financial incentive for scammers who are out to make money. For criminals seeking valuables of a different kind, universities also have a lot of research and intellectual property.

Let’s not single out education specifically, though. We know of these cases because they reported to the regulatory authority, as they should have. My gut feeling is that a lot of organisations are still not reporting breaches or are doing so inaccurately. How often do we see reports using phrases like ‘sophisticated attack’? But digging deeper, the real cause was an employee tricked into downloading an infected attachment or clicking a malicious link.  Nothing very sophisticated about that, right?

Standing on the beaches looking at the breaches

Almost every breach has got to start somewhere, and phishing is often the opening gambit. (There’s a good infographic with a history of phishing here.) As security professionals know, attackers love phishing because it’s cheap and easy to set up, and yet such an effective weapon. As the 2019 Verizon Data Breach Investigations Report shows, almost one in three of all breaches involved phishing.

Stealing data or getting access to an internal company system might be the goal, but it often starts with a fake email. If it’s an orchestrated attack, there might be some reconnaissance first to identify specific people in an organisation. Once the criminal has identified someone of value, they then craft a targeted email to make it more likely the recipient will click on it.

Phish out of water

The worst thing that can happen is nothing – but I use that word with caution. In some phishing incidents, the victim won’t notice anything obvious, and that’s deliberate. They click on a link or an attachment and everything seems normal. Behind the scenes, it’s a different story: the link or attachment triggers a Trojan which works in the background, undetected. The payload might be to download ransomware, or to find a way past the firewall and steal data.

Ultimately, there’s always a financial aspect to the fallout. The data itself could have monetary value to the thieves. There’s the direct cost the organisation pays to remove ransomware or paying the costs to investigate and repair the security gap that led to the breach. The reputational damage to the organisation could lead to lost business.

The price you pay

And here’s where we come back to the data protection aspect. For every record that’s lost to a breach, the DPC can multiply the size of the fine it imposes. For every weakness in securing data – from unpatched systems to the lack of phishing awareness training – that’s another multiplier. Each data protection requirement that the organisation fails to meet will increase the penalty. In extreme cases, the DPC has the power to stop an organisation from processing data, which could be another severe financial hit.

So when we think in terms of money, the question becomes: can your organisation afford not to be secure? And the follow-up question is, what are the most effective investments to avoid falling victim to phishing?

Technical controls are necessary because they filter out a lot of the bad stuff. We can implement email trust technologies like DMARC and warning signs that flag emails and will filter out a lot of mass-produced phishing scams. But these controls won’t be 100 per cent effective because the bad guys are getting better at subverting controls.

I can learn to resist anything but temptation

With phishing, people not systems are the targets. That’s why consistent, regular training is key. In practice, that means educating people on what to look out for. It also means being patient when people get it wrong (because they will). In my experience, the best type of security education shows people the right things to do without shaming them when they’ve done it wrong. We need people to report when something bad has happened, by mistake or because they thought the mail was genuine. If you punish people for clicking a link, then you can be sure they won’t tell you the next time.

The most effective messages should encourage people to stop and think, and to resist temptation. We’re all in a hurry, it’s a busy world, but taking a moment to ask some questions can make the difference. Is this email really as urgent as it seems? (No.) Do I need to click on it right now, or can it wait? (It can wait.) Is my mobile device more secure than a work laptop with antivirus and a security infrastructure protecting it? (Almost certainly not.) Is this email genuine and clearly meant for me? (Take a moment to look at the obvious signs – and keep in mind that you can’t hover over an email address if you’re browsing on a smartphone.)

You gotta fight for your right

If we can educate people to employ healthy scepticism, that’s one of the best weapons in the fight against phishing. And it might just keep the regulator from your door.