A comprehensive cybersecurity strategy incorporates multiple elements. Technology is one part of the picture, sure – you need the right tools, appliances, software and hardware in place to protect against malicious network access and to identify problems as they occur. But people are an equally important component. Employees make mistakes, and can be tricked into handing over the keys to the castle, allowing cybercriminals direct access to confidential data and protected systems.
The Chief Information Security Officer at the Department for Homeland Security (DHS) in the US recently stated that the biggest security threat they face is spear phishing – that is, employees being targeted with highly personalized emails that seek to trick them into exposing their login credentials or other useful information. Because after all, the organization can have the most robust firewalls and other security appliances in place, but with legitimate access credentials, a cybercriminal can sail straight through. A targeted spear phishing attack can get an attacker to the heart of their target environment extraordinarily quickly.
Cybercriminals have even progressed to so-called ‘whaling’ attacks. These specifically target very senior employees, who are likely to have the broadest access levels. We recently blogged about a whaling attack at wire and electrical cables manufacturer Leoni AG, which successfully imitated an email from a senior executive and tricked an officer into transferring an enormous 40 million euros to a bank account in the Czech Republic.
What’s the solution? An ongoing, dynamic program of employee training and awareness is absolutely essential. It cannot and should not be treated as a single, standalone event at the start of an employee’s tenure or even at fixed points throughout the calendar year. It must respond to evolving cybercriminal techniques, and continually check back to ensure that it is having an impact.
Many organizations would do well to follow the example of the DHS, which has introduced an innovative approach when it comes to defending against spear phishing attacks. Several times a year, the organization develops its own spear phishing emails, targeting its own employees. Should a staff member fall for the ploy and click on a link in such an email, they are forwarded to a website designed to teach them more about how to distinguish between legitimate and malicious messages. In other words, spear phishing training is both dynamic and practical.
Employees who repeatedly fall for the internal phishing emails are given extra training, and, according to the DHS CISO, may ultimately lose certain access privileges. He claims that the strategy is working well, with the number of successful actual spear phishing attacks decreasing over the past twelve months. He aims, he says, to “develop a healthy sense of paranoia so they think things through before they act.”
Of course, the technology piece of the cybersecurity picture should not be neglected. We’ve blogged before about how you should also ensure that a ‘one-click disaster’ cannot happen. That is, ‘your network integrity should never be able to collapse under a single click – whether that click is an individual who has fallen for a phishing attack, or simply a staff member pressing the wrong button’. If a single successful spear phishing attack is enough to bring down your entire network, then your network was poorly architected in the first place.
Defending against phishing and whaling attacks requires a proactive approach to technology and training. Do staff in your business have that ‘healthy sense of paranoia’?