The Phish in 2019: Three Steps to Avoid the Persistent Threat

Organizations are vulnerable to phishing attacks due to the actions of their end users. No matter the strength of an organization’s infrastructure and defense technology, human error is a critical risk factor in business continuity and information security. Phishing attacks pose major risks to organizations of all sizes. Those that fall victim to these attacks are subject to loss of personally identifiable information (PII), reputation damage, loss of resources, denial of service, delivery of malware or ransomware and potential loss of other sensitive data. The severe impact and nature of a phishing attack make it a board-level issue.

Between May 2013 and May 2018, losses due to phishing-related fraud exceeded $12.5 billion worldwide1. It is predicted that a spike in the number of smishing, whaling and spear phishing campaigns will continue. Between 2017 and 2018, there was a 76 percent increase in the number of reported phishing attacks and a 53 percent increase in spear phishing attacks2.

KEY TERMS
Smishing When a user is tricked into downloading a virus or malware onto their mobile device
Whaling Phishing attacks that target high level or C-suite members
Spear Phishing A targeted email cyber-attack to an individual to gain access to their data

Attackers continuously are developing new ways to obtain company data through employees. Proofpoint’s 2019 “State of the Phish” data shows that malicious actors are focusing efforts on attacking organizations through an organization’s employees, rather than the technology that stands between the attackers and the desired data. The human element continues to be the easiest method of exploitation. As attackers evolve and improve their tactics, organizations will need to improve their security posture.

Three areas that could provide the most impact to end-user awareness include:

1. Develop a Culture of Education and Awareness
2. Make It Easy for Employees to Report Phishing
3. Conduct Quarterly Phishing Simulations
1. Develop a Culture of Education and Awareness

A people-centric approach to end-user security is critical to keep company information safe. Organizations may rely too heavily on the technological defenses they have in place. Human error is the last line of defense, and system administrators need to treat it as such. A culture of awareness and skepticism should be instilled from the top down at an organization, with emphasis on all levels when dealing with company data. Digital activity should be taken seriously by all personnel, and employees should be trained to look for questionable scenarios during the performance of everyday tasks. End-user awareness training should be conducted frequently, especially with new hires. In industries with high employee turnover, management should focus on clearly defined, early education. Information security should be a part of every employee’s daily work tasks, no matter the role or level of responsibility in your organization.

A common misconception is that an employee’s age is a direct correlation with their level of awareness for cyber risk. Millennials and younger employees are no less vulnerable to social engineering than their tenured colleagues. Younger employees may be more willing to share information when an attacker impersonates their superior. Older, experienced users have been exposed to more attacks than younger employees. A younger generation could be more comfortable with technology; however, this does not mean they have a higher understanding of information security concepts. All employees should be trained to be skeptics and treat corporate data as if it were their own. For this culture to be integrated into day-to-day business, management must be a catalyst for change.

2. Make It Easy for Employees to Report Phishing

An effective but often overlooked way to defend data is to empower employees at all levels to report suspected phishing attacks in a quick, easy manner. Examples include the installation of a one-click button through an email exchange or creating a dedicated phishing email to forward potential threats. When employees have a simple way to report potentially malicious emails, there is a substantially higher chance that the emails are reported and a potential data breach is prevented before it even occurs. Proofpoint’s “Human Factor Report” states that around 25 percent of clicks on malicious links occurred within the first five minutes of the message being delivered, and 52 percent of clicks in the first hour.

Generally, employees do not take time out of their day to investigate a risky email or a suspected phish attempt. Developing a way to streamline the reporting process can be an effective action to help protect company data.

3. Conduct Quarterly Phishing Simulations

Organizations of all sizes and industries should include phishing simulations as a part of their end-user awareness program. Periodic, simulated attacks provide management with informative summaries of their end-user security posture. Quarterly tests will keep information security a common topic among the workplace and can help further instill skepticism among employees when they send and receive emails and interact with company data. Reward employees who succeed in phishing simulations. The reward does not have to be financial or compensation based. A simple email, note or general recognition among management and peers goes a long way. Reinforcement of positive actions boosts morale and creates a competitive mindset among employees.

Larger organizations could have a competition by business unit or team led by their management. The teams can be scored by separate measurement of success rates, and if a team or business unit tests better than another, reward them and require additional training where needed. This also reinforces accountability by managers to facilitate a culture of awareness. Not only is this an effective way to make simulations competitive, these tests can also create management metrics that quantify the level of risk that each business unit presents to the organization.

There is not a magic combination of procedures, systems or technology solutions that will guarantee end-user security. Managers and IT directors need to strategically decide what works best for their environment. A zero-risk goal may not be realistic, but there are still many ways to decrease risk. Completely eliminating the risk of human error is not feasible, which is why hackers focus so much energy on this attack vector. These three preventative actions can be applied to an organization of any size in any industry. With new avenues for malicious actors to phish employees and execute more attacks, improving end-user awareness should be a top priority.

About DHG IT Advisory

DHG IT Advisory works with companies to manage technology risk while maintaining data integrity, protecting privacy and complying with regulations. From project management and regulatory compliance assistance to digital forensics and incident response, DHG is equipped to meet your IT advisory needs that drive your business. To learn more about DHG IT Advisory, visit dhg.com/itadvisory.

Sources

  1. The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum – Radware, 2019.
  2. State of The Phish – Proofpoint, 2019.