We all get suspicious-looking emails every day and most of us manage to delete them without any problem. But as scammers become more sophisticated, phishing - sending emails that tempt recipients to open an attachment or click on a link that could be damaging to them or their wider network - continues to be a serious problem.
Another method that's been used successfully is scattering a bunch of USB drives featuring malicious code around in a car park and waiting for someone to plug one into their computer. Some people will throw caution to the wind simply because of their own curiosity. The common element here is the human one - and that’s why attacks like this are also known as "social engineering".
A study conducted at Columbia University showed just how powerful email can be as a form of attack. Researchers sent out 2,000 phishing emails, which got 176 opens. Those 176 people were then warned that they'd fallen for a phishing attack. The researchers later sent another round of phishing emails to those same people, and 10 of them once again clicked. After another warning, and a third batch of phishing emails, three people fell for it again. It wasn't until the fourth round that no one opened the emails.
Clearly, it's often people who are the weak links. Employee training must be a crucial part of any company's strategy against email scams and the need for vigilance is vital and ongoing. Phishing is a form of attack where human decision-making is critical.
Think of security as a pyramid where the horizontal axis is the number of incidents and the vertical axis is the level of sophistication involved. The top of the pyramid features the smallest number of incidents but this is a level of sophistication that is very difficult to defeat.
The bottom of the pyramid has the highest numbers and the least sophistication. This is where most phishing attacks sit - those that depend on someone clicking without paying attention or because of bad judgement.
Training and awareness can help to reduce the number of incidents. The best way to measure this is to run a test email phishing exercise on your own staff. Someone will usually click but, with training, these numbers can be minimised.
The first line of defence is looking at traffic. Most organisations drop anywhere between 65% to almost 75% of their incoming email. Some is merely suspicious or annoying and staff may see emails come through marked with labels such as [SPAM] or [Marketing Mail]. The intent is to avoid blocking something that might be legitimate, but to give the user a warning and the opportunity to delete anything suspicious.
Most companies employ a security framework suck as NIST or ISO27001. Such frameworks include risk assessments, policies and controls to mitigate risks, and audits to demonstrate implementation. One of the key controls is always security and security awareness training.
Unfortunately, email will continue to be a threat. We have relied far too heavily on email for far too long. We need to start looking at other communication channels so we can protect ourselves against these types of attacks. There are better, arguably more secure solutions out there for communications, examples being an internal intranet via Jive or social business applications such as Yammer or Slack.
However, email is not going anywhere soon so measures need to be put in place to keep an organisation and its staff protected. Phishing relies on human error so it’s in the interests of any business leader to ensure all staff are trained and that they take responsibility collectively and individually for keeping the network and its data safe and secure.
The bad guys are incentivised to keep attacking even with relatively unsophisticated methods; businesses need to build resilience to defend against the attacks.
Copyright © 2017 Todd Kleppe is vp of global operations at A10 Networks.