What’s the biggest cyber risk for firms today? We may be tempted to think it is an Advanced Persistent Threat from shadowy criminal organisations in far flung nations, but the answer is likely to be less exotic, and closer to home – and maybe sitting at a desk nearby. Ethical hackers will tell you that one of the easiest ways to compromise an organisation is to get a member of staff to do it unwittingly, using social engineering techniques.
As firms have focused more on software and hardware technology defences, the attackers are increasingly targeting their efforts at the “warmware” – the people. Why spend weeks covertly hacking into a system when someone will let you in by clicking on a hyperlink? Indeed, Microsoft’s recent annual Security Intelligence Report revealed that as organisations have increased their security defences, criminals are less willing to invest time and effort in hacking computer systems, and are instead focusing on social engineering techniques to gain a foothold.
Email phishing is arguably the main method of attacks on any business today. By tricking an email recipient into clicking a link, the attacker can direct them to a website to download malware, or to harvest their login credentials.
Gone are the days when phishing emails were easily spotted due to poor grammar and dodgy images; now they are sophisticated, copying the branding and language of your Bank, PayPal, Netflix or whoever they are pretending to be. It’s no wonder they are hard to spot.
But it’s not just how they look that deceives us - phishing emails bypass our logical thinking by appealing to emotions and traits like fear, greed, curiosity, and even helpfulness. By adding a note of urgency, they trigger an emotional response so that we click before we think. Phishing also takes advantage of people being busy, which is why most bank transfer fraud is committed on a Friday afternoon, when the pressure is on (and the error won’t be discovered until Monday morning).
Already this year there have been reports of major IT system vulnerabilities, and the need for security patching has become front page news. However, to exploit most of these vulnerabilities the attacker needs to get into your organisation and gain access to systems first, and the easiest way to do that is through phishing. But rather than seeing people as the “weakest link” as is often said, we need to enable them to be our first line of defence.
This is no easy task; it requires training, awareness raising and changing behaviour, all of which takes time and repetition to bed in. A multi-faceted approach is required, including emails, videos, posters, demonstrations, face-to-face training and e-learning. Phishing exercises are also effective (essentially trying to phish your own staff to see if they bite), but it can’t be a one-off exercise – it needs to be done regularly, and an errant click should result in an educational message.
Building the defences higher and deploying more technology will only go so far. We need to not only train our people about security, but also train security teams about people, their vulnerabilities, and how to get the best from them.
There is no security patch for people, so it is more important than ever that colleagues take the time to stop and think before they act. Telling colleagues what to do – or what not to do – is of limited effectiveness. But by showing them what can happen and how to avoid it, through repeated phishing simulations, awareness-raising campaigns and training sessions, we can equip our colleagues to be the strongest link in the cyber chain.
Damien Behan is Director of IT at Brodies LLP.