Over the past few weeks, we have seen numerous successful ransomware and Business Email Compromise (BEC) attacks. Organizations try to deal with these risks by employing security technologies and processes, but that’s not enough. Technology can’t stop someone from clicking a link and processes can be ignored. Without a focus on people, your security strategy rests on a two-legged stool. Security is not only IT or the security teams’ business, it’s everyone’s responsibility. All it takes is one convincing – yet fraudulent – email or phone call to trick an untrained, security unaware employee into opening the door to cyber criminals.
This report from the SSL Store gives a great example of the gravity of phishing attacks. They estimated that the top 12 phishing attacks moved approximately $500M out of corporate bank accounts. If we extrapolate that to include all of the smaller attacks against millions of other organizations, it is easy to see that by using phishing, criminals are feasting on a $10B plus revenue stream. Clearly, these attacks will increase in volume, complexity and scale.
Here are some very recent attacks reported in the news:
- Ransomware attack cripples North Carolina sheriff’s office network. FBI investigating
- Ransomware incident leaves some Johannesburg residents without electricity
- FBI investigating after Collierville hit by ransomware attack
- Syracuse ransomware attack: School district expects to pay $50,000
- LaPorte County, Ind., and Lake City, Fla. paid Ransomware of about $132,000 and $462,000, respectively
- Riviera Beach Fla. paid $600,000 in Ransomware to unlock its data
- The Nation, an Eastern Ontario municipality near Casselman suffered from a ransomware attack
Criminals will typically deliver ransomware into your corporate systems using one or some of these techniques:
- Compromising a user’s credentials, moving laterally, if required, then installing the ransomware on a system that can see the entire network
- Targeting an unsuspecting user and getting them to click on a link that opens an autoexec that installs the ransomware on your systems
- Using a brute force attack on your network and systems so they can install their remote access toolkit to install the ransomware when they want
- Using a Zero-Day attack
- Exploiting an unpatched system
The last 3 are not easy to do and will require some effort and planning to pull off successfully and run the risk of detection by typical hardware and software protections.
One new aspect of successful BEC attacks is that criminals are phishing corporate users to obtain their email account credentials. Why? Well, as a criminal, if I can send phishing emails from a trusted email domain, the chances of my victims opening and clicking on my malicious links and attachments increases exponentially. Better still, I can expand the number of email accounts I can compromise by phishing my victim’s suppliers, partners, banks and customers. The biggest benefit of this approach is that email security hardware and software protections are not looking for emails coming from within your domain so attackers can operate in stealth mode for months at a time. Better yet, the organizations you do business with daily have you set up as a “Trusted” email domain.
Some folks are calling this method “Lateral Phishing”. I would argue, it always starts with phishing. If launching phishing attacks to compromise email accounts to then launch more attacks that will subsequently originate from a recognized domain, seems like the new way forward. I would like to ask you this: What happens when your admins are targeted this way? Will they take the bait?
Some sobering stats:
Verizon’s 2019 Data Breach Investigations Report states that, “most breaches involve phishing and the use of stolen credentials”
Great Horn’s 2019 EMAIL SECURITY CHALLENGES, TRENDS, BENCHMARKS 2ND ANNUAL SURVEY REPORT, shows that “Half (49.8%) of respondents see malicious emails reach their inboxes every week, despite a multi-layered defense strategy that includes an average of more than two email security solutions.”
- “45% of respondents say that they see email impersonation threats in their inbox”
- “27% replied that they see credential theft threats”
- “34% replied that email threats with impersonation of internal\external people worry them the most”
So if criminals are continually finding ways to circumvent technology by compromising people, what can you do to protect your organization? There is no “Silver Bullet” when it comes to phishing. The best approach requires a layered defense that should include Multifactor Authentication (MFA) for email accounts, email security hardware and software protections and most importantly security awareness training that includes phishing simulation. Remember that your users are often your first and last line of defense, so applying the Human Fix to Human Risk continues to be the best way to fend off these phishing attacks that will continue to get by your expensive protection measures.
When you read about the latest successful attacks, you will note how the organizations that fell victim are now implementing security awareness training for their employees. Why wait until after you suffer an attack? In the words of Matthew Syed, author of Black Box Thinking: “Learn from the mistakes of others. You can’t live long enough to make them all yourself.”
So, what can you do in an attempt to build your layered defense? Start with a cyber security awareness program that is tailored to your organization and proven to change users’ behavior. Why? Because security awareness programs make employees aware of security best practices; they change employee behavior so it’s more secure; they create a security-aware culture; and they reduce the number of human-caused security incidents.
The trick is to take a people-centric approach to cyber security awareness. Take your users from being the weakest link and turn them the strongest link in your layered cyber security defense by educating them on why security technologies and processes are in place and must be followed.
“People affect security outcomes more than technology, policies or processes. The market for security awareness computer-based training (CBT) is driven by the recognition that, without perfect cybersecurity protection systems, people play a critical role in an organization’s overall security and risk posture. This role is defined by inherent strengths and weaknesses: people’s ability to learn and their vulnerability to error, exploitation and manipulation. End-user-focused security education and training is a rapidly growing market. Demand is fueled by the needs of security and risk management (SRM) leaders to help influence the behaviors that affect the security of employees, citizens and consumers.”
(Gartner Magic Quadrant for Security Awareness Computer-Based Training, Joanna Huisman, 18 July 2019)
To change employee behavior and build a security culture, there are five people-centric elements that you need to use as the foundation for security awareness success:
- High Quality Content – Must engage users and provide a training program that is fun, resonates and changes behavior.
- Personalized Campaigns – Key for driving motivation among employees and increasing their knowledge retention rates to change behavior.
- Strong Partnership – A consultative approach incorporates a partner with the experience and subject matter expertise to help you plan and execute a security awareness program that is designed specifically for your organization.
- A Proven Framework for Success – To effectively change employee behavior and build a culture of security, you need a comprehensive program that is carefully planned based on your organization’s specific needs and objectives.
- Security Awareness as a Service – provides flexibility and support to effectively deploy your phishing simulations, awareness training or both as well as measure and report results.
Effective security awareness programs can reduce risk of ransomware and BEC by helping to change employee behavior, instill or reinforce a culture of security within the organization, and address compliance demands. But it takes a human fix to battle the human risk.
Get the Definitive Guide To People-Centric Security Awareness and learn about the five people-centric elements that will help instill a security culture in your organization.
CISSP, Global Channel Manager & Cyber Security Evangelist