Cyber security education isn’t just about human error, says phishing expert Aaron Higbee.
It’s quite clear that 2016 was a banner year for cybercrime, with the steady rise of ransomware leveraging a variety of malware strains and proving to be a very viable business model for malicious actors. ‘Phishing’ continued to dominate as the attack vector of choice for malicious actors of all types – nation states, cybercriminals, and hacktivists.
The majority of reported cyberattacks in 2016 didn’t rely on sophisticated malware or technical vulnerabilities alone, but rather leveraged behavioural psychology to exploit humans and gain access to sensitive data.
Despite record investments in layers of preventative technology to combat the phishing problem, the data collected last year paints a bleak picture for those relying on technology alone to combat the threat. According to Mandiant’s 2017 M-Trends report, it takes the average global organisation approximately 99 days to realise a breach has occurred.
Months later, once the breach has been contained, the average total cost to the business will have risen to $4m. With statistics like that it’s not hard to see how Cybersecurity Ventures, a market research firm, recently projected the cost of cybercrime to hit $6Tn by 2021, up from $3Tn in 2015.
The question is how can we transform employees from a risk factor to an empowered defence mechanism against phishing attacks?
The challenge is that while we are dealing with a problem that has a human at its core, many organisations believe they can protect themselves by building technological moats and ignoring the human element completely; subscribing to the clichéd mindset of ‘the human is the weakest link’.
Regardless of how sophisticated an organisation’s security technologies are, phishing emails are bound to make it past those perimeter defences and land into an employee’s inbox – increasing the odds for the attacker that someone falls for the bait. The question is how can we transform employees from a risk factor to an empowered defence mechanism against phishing attacks?
Awareness isn’t the problem – it’s about changing behaviours
A Cybersecurity Ventures Report outlines that staff training is one measure often touted to raise awareness around the risks faced by employees. The same report states that training employees how to recognise and defend against cyberattacks is a sector likely to be worth almost $10bn by 2027.
But ‘training’ and ‘raising awareness’ isn’t effective enough to stop phishing attacks. In fact, in a survey of several hundred office workers, of diverse backgrounds, a resounding 94.4% said, “Yes. I am aware of phishing”.
Being aware of something and knowing what to do and how to act when that something occurs are completely different. Users are far less likely to remember a training module or a presentation on what a phish is and how to not be susceptible, compared to experiencing a phishing attack first hand and being provided real-time feedback.
A recent study conducted by Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany entailed running a spear phishing attack simulation on a test group of 1,700 students to measure their susceptibility for risk.
The study showed that at least 50% of students clicked simulated phishes, despite understanding the dangers of a phishing email before the attack. The study concluded that awareness isn’t the problem.
The students were aware that they shouldn’t click suspicious links, but until they experienced a phishing attack first hand, ingrained behaviours like carelessness and curiosity led at least half of the test group to fall for the bait.
Forced security awareness activities simply don’t have a measurable impact on risk reduction.
Contrary to the oft-cited ‘humans are the weakest link’ rhetoric, employees are smart, and not only capable of behaviour change, they are also generally underwhelmed and unengaged when faced with the prospect of mandatory completion of company-wide computer-based training (CBT) courses.
Human behavioural conditioning has a long history in our societal education. Many of us have been conditioned to speak in a particular way, to look both ways before crossing the street, and turn off the lights before leaving a room.
This automatic response facilitates almost every aspect of our lives and ingrains an action into our subconscious. Our natural behaviour towards cyber threats ought to be no different.
Reconditioning our thinking – empowering the human
Changing behaviour through education is most effective when it is completely immersive and engaging, no different from fighter pilots training in a flight simulator.
Immersive security conditioning, embedded in the everyday work of employees, allows for an enterprise to improve its employees resilience to such attacks, including turning them into human sensors that report such suspicious emails to their security teams in time.
On average, after just four simulations, the percentage of employees that are repeat victims is close to zero, susceptibility rates decline by over 80%, and most importantly accurate reporting of such emails by employees increases significantly.
This improved attack detection speed driven from human-generated phishing intelligence can mean the difference between minor system infections and large breach that tarnishes the company’s reputation and worst still has a significant financial impact in the form of compromised sensitive data, regulatory fines, locked critical systems and having to pay ransoms to get these systems operational again.
About the author
Aaron Higbee is co-founder and CTO of PhishMe