Last week, a Washington Post article by Robert O’Harrow offered an interesting look at the most common attack vector used by cybercriminals to penetrate enterprises today: spear phishing. While we applaud (loudly) the thrust of the article – that enterprises need to educate users on the dangers of spear phishing – there are some very real challenges in user education that the article does not address.
First, there is a very common misperception (promulgated by the article) that the only goal of spear phishing is to deliver a payload of malware to a specific employee of an organization. While malware delivery is still a frequent tactic in spear phishing campaigns, as we saw with the RSA breach and others, today’s spear phishers do continue using low-tech social engineering techniques to solicit user credentials through sophisticated imitations of their corporate web pages. In fact, they are using what we call a data entry phishing attack, where malware isn’t even involved, thus making them very difficult to detect.
Second, and even more importantly, there is a common misconception that simply making employees more aware of potential phishing attacks will lead to their prevention. In many enterprises, employees must complete annual security awareness programs – but they still go on to do all of the things they have been told not to do, including opening attachments from those whom they don’t know and clicking on links from untrusted sources. This type of passive awareness – doing a once a year security training seminar, putting a poster up in the break room, or giving employees screensaver reminders to change their passwords – simply will not work. My company, PhishMe, has trained more than 3.5 million employees at universities, government agencies, and large enterprises, and we have found that many user awareness programs are largely ineffective in preventing spear phishing attacks. To be successful in user training, you have to be proactive and immerse employees in a true-to-life experience that will stick and actually change user behavior.
Penetration testing kits, which also are described at length in the article, do little to change this behavior. Pen testing, usually conducted by a benign white hat hacker, may expose vulnerabilities in enterprise infrastructure or demonstrate weaknesses in cyber defense. But, most users never see the penetration test, nor are its results shared with them. Penetration tests are designed to help the IT organization find the flaws in its defenses – they do nothing to educate the end user. In fact they have the opposite effect of generating employee backlash and mistrust, with no positive behavior modification.
In the end, there is only one proven way to affect change in end user behavior: hit them with a benign version of the actual phishing attack that they might see in their email. If a user sees a particular attack, and takes the wrong action by clicking on an attachment or a link, there is no more effective way of teaching them a lesson than to warn them, on screen, that they have made a wrong move. It’s that very moment that makes the most impact.
We have found that immersing people in the experience through mock phishing exercises, and presenting immediate, bite-sized education to those who are susceptible has had the desired effect of reducing employee vulnerability to these attacks. PhishMe’s training has proven to modify employee behavior over time and allow organizations not just to be aware of their employee’s behavior, but to help them take a safer and more positive course of action when it comes to phishing attacks.
The Washington Post article does a service to its audience by raising the importance of spear phishing and social engineering attacks. It rightly points out that humans are the weak spot in any enterprise defense, and that even the most well-schooled employees may be fooled by a new, convincing form of attack.
However, the Post article does not offer enough information on the tools and methods that can be used to prevent users from making these sorts of “human” mistakes. PhishMe’s methods have increased human resiliency by reducing the frequency that employees fall prey to phishing attempts – from more than 75 percent to fewer than 5 percent in some cases. While the Post article seems to indicate that social engineering is a human flaw and cannot be stopped, PhishMe has proven – repeatedly – that the right type of training and behavior modification can make a huge impact on the incidence of phishing infections in the enterprise.
Yes, social engineering takes advantage of human flaws, and humans are invariably flawed. But the article fails to add that humans can learn not to behave in ways that put enterprise data at risk. The weak link in the chain can be significantly strengthened – effectively making the whole chain much stronger.