You have probably heard about the serious security problems flowing from email phishing scams. Security teams around the globe are now on high alert regarding phishing attempts within their enterprises and targeted spear-phishing attacks directed against key staff.
What has become clear is that the bad guys No. 1 method to gain unauthorized access into sensitive data is to steal your logon password(s) or other authorization credentials. Put simply, they want your system access.
Why is this the top hacker technique used? Phishing is usually the path of least resistance for the bad guys to get the sensitive data they want without being detected. If they can become you, they can slowly steal the data over time and cover their tracks as they go deeper and deeper into the network.
Taking a step back, even Shakespeare understood centuries ago that people were the weakest link in security. This CSO magazine article points to those social engineering weaknesses revealed in the play Othello.
So once you click on that bad link, what happens next? Popular cybercrime techniques include hidden downloads of malware onto your system, placing keyloggers on your PC to capture keystrokes or using different forms of ransomware to extort cash from victims by encrypting your data and demanding cash for the data back.
And just in case you didn’t get the memo, the litany of major data breach stories that began with the use of phishing attacks is growing by the month. Here are a few samples:
Phishing scam breach compromises data of 39K (in a large Texas hospital network)
I could go on and on. There are even major state government examples that go back years, such as the major South Carolina data breach that began with a phishing attack.
And once hackers are inside your systems, as the OPM breach timeline points out, getting intruders out of internal networks can be very difficult. Questions surrounding “what else did they do” always linger.
Recovery Costs After Phishing Attacks Is High: New Ponemon Institute Report Shows Why
To add fuel to the fire, a just-released report by the Ponemon Institute puts the average cost of recovering from a successful phishing attack at $300,000.
Securityledger.com said this about the new report:
“Lost productivity was the biggest cost driver of successful phishing attacks, whereas clean up and incident response accounted for most of the costs of remediating malware attacks, according to Ponemon’s report, The Cost of Phishing & Value of Employee Training. For the report, Ponemon surveyed 377 IT security employees at a range of organizations.”
Tripwire.com offered this quote on the report from Larry Ponemon: “Companies who adopted effective training programs saw an average improvement of 64 percent in their phishing email click rate, according to Ponemon’s proof-of-concept studies.”
So that brings us back the vital question: what can, and should, be done to strengthen our security defenses and protect and train our people against phishing attacks? When incidents do occur, how does your staff respond?
Typical Awareness Training Responses
As I’ve traveled the world over the past year, I often talk to public- and private-sector security and technology leaders about many different cybersecurity problems they face. While everyone seems to have an opinion on phishing and spear-phishing, there are big differences in what groups are actually doing on the ground with employees.
As in other security areas, there are the leaders, adopters and laggards. Surprisingly, one study from 2014 showed that more than half of enterprise employees have not received any awareness training. (This percentage seems too high to me, but let’s move on.)
Starting with the laggards, I hear words like “Been there, done that, got the T-shirt.” This group just doesn’t seem to understand the urgency of this serious, evolving, phishing issue.
You may be in this group if you simplify the problem with lines like: “I just tell my customers to not click on any unsolicited email links.” Sadly this is not much more effective than yelling, “Just do the right thing,” to teenage children.
Others in this bottom group debate the merits of awareness training and may claim it offers minimal value, even though there is plenty of data to suggest otherwise.
In the next (middle) group, there is a compliance mindset. This attitude is not bad, but not enough to change behaviors either.
I am no longer surprised by those who just want the cheapest awareness training they can find. Many have a “check the box” mindset. While they certainly care and want to do the right thing, they don’t want to ask for more budget or fight other IT infrastructure priorities. They keep doing the same things – even though it is not working. As you might expect, they struggle to get a different result or change security culture.
This group may offers “death by PowerPoint,” outdated materials, boring content or teach the same things over again. While security videos can sometimes be helpful and a positive step away from stale materials, watching annual videos is usually not the right answer. Staff learn best with interactive content that is frequent, engaging and personalized. Also, a good program contains multiple channels of communication and a variety of live reminders (like group workshops or brown-bag lunches).
Internal Phishing Exercises Debated
Many organizations are going further by performing tests on their employees and sending home-grown phish that tempt to see if employees will click. This “phish your own staff” technique can be effective in lowering the overall click rates. This approach is also a popular way to get security metrics, because it is easy to know how many people click when the email is coming from your own security team.
Taking this further, a growing trend is using “just in time” training for those who “fail” and click on an internally generated phishing link. Some organizations force staff to go off to a cognitive behavioral therapy course if they fall for the test phish.
However, other orgs say "no" to internal phishing campaigns, because they feel it creates an atmosphere that lowers trust for the security team or management. This internal phishing process can instill fear and certainly gets attention. However, if not administered properly and with care, this process can become only a penalty that shows up on your performance appraisal as a "demerit" for doing the wrong thing.
Sadly some organizations that phish their own staff still do a poor job of security awareness training with their employees. They fail to show staff, in detail, what they should and should not be doing regarding phishing and other online security topics from mobile devices to cloud computing to creating (and changing and not sharing) passwords.
Side note: I think these phishing to test your own staff can be a good part of a successful information security awareness program, but should not be the central focus. If you do administer these phishing exercises, don’t fall into the trap of becoming “Dr. No” – which is the major CISO trap to avoid. See No. 1 in this Pulse article for more details.
The Security Awareness Leaders
What are some of the leading groups doing? Here are four more tips to help combat our serious phishing challenges.
1) Provide effective, attractive security awareness training. Security awareness training regarding phishing can be fun. Make it brief, frequent and focused. Teach staff practical things about phishing campaigns they don’t already know, and let them practice with real examples that are meaningful.
Use gamification techniques. Challenge and support staff to do better and build a phish-aware culture by encouraging the right behaviors for home and work. Tying in family is a great way to get employee attention. Make your security awareness an enabler of “ambassadors for good.”
For state and local governments, use posters, calendars and other materials available via the MS-ISAC toolkits. These free items are very helpful for the upcoming Cybersecurity Awareness Month in October. Also, Staysafeonline.org is a great resource for ideas.
Here’s a related quote from Marie White, president of Security Mentor, on the 2015 Verizon breach report from earlier this year.
“Effective, engaging, end user training is essential, and not just for stopping employees from clicking on malicious links or giving away sensitive access or information. Well-trained employees who know what to do and how to do it will help identify issues on the front lines and be the best cyber defense overall.
In addition, security incidents not only happen because of phishing. We can get lulled into believing that preventing phishing is everything, but there are significant risks associated with the Cloud, BYOD, and lost devices, as well as other new technologies always are on the horizon. Social media access at work is also making the problem more complicated and the problem is growing.”
2) Encourage reporting of phish. Do your employees know what to do when they receive a phish (in any form)? Not clicking or deleting is certainly better than clicking, but reporting is also essential. You want honesty when employees do click, so you can respond quickly and effectively. (This is why hiding clicks can be a problem.)
Create an email box like: firstname.lastname@example.org or email@example.com. Have you trained cyberteams to review these emails real-time to ensure that dangerous phish are deleted from all internal email mailboxes and let others know?
When I was the Michigan CSO, we built just such an email box, and the number of incoming messages from staff grew by almost 100x after we rolled out good phishing awareness training to all staff. (This incident was after we already filtered out 95 percent of incoming emails to the state as spam or malware.)
On one occasion, a particularly nasty phish, with destructive malware downloads if you clicked, was forwarded to our team by an employee on a weekend. Our normal process deleted that email from thousands of staff email boxes and prevented an expensive and time-consuming major cyberincident. That one phish incident response action saved the state more than $50K in documented recovery costs.
3) Ensure that phishing is about more than just email. Do staff understand that phishing can come from a telephone call or a text message? As discussed earlier, the person sitting next to them can even “phish” for your password. (This is what Edward Snowden did at NSA to get other employee credentials.)
For example, a few months ago, I got a call informing me that I had “won a free cruise for my family.” I played along as the caller went through a tempting checklist of options and “free extras.” About 10-minutes into the call, the person wanted my credit card number for “processing charges.” I refused, and let him know that I had no idea who he really was.
Similar techniques are used to pretend to be “Microsoft support” or a fake help desk calls. Bad guys use clever techniques to disguise their true motives. Do you train for such things at home and work?
4) Develop a good cyberincident response plan. What does your cyberteam do when a phish is discovered and security incident response is needed? Is a cyberincident response plan in place?
NIST offers this incident handling guide for security incidents. You can report phishing scams to the US-CERT here. The anti-phishing working group (APWG) also has ideas, guidelines and helpful reporting tools to use.
In conclusion, I just returned from California, where I offered a daylong workshop on building a successful information security awareness program based on NIST 800-50 and 800-16 (role-based awareness training) and government best practices. It was a great conversation with several good, bad and ugly “phish stories” shared. These problems are difficult, but solutions are real.
For more information, I offer more security awareness do’s and don’ts in this blog – from back in 2014 when I was the Michigan CSO.
It’s an ongoing challenge, but don’t take the bait.
Most important, share how you resisted, and reported, your phishing story.