Phishing Trilogy Part 3: The “Carrot and Stick” Approach

What’s the best way to fight phishing attacks? Is it punishing users or rewarding good behaviour?

By Emily Wang

This is part Three of the Phishing Trilogy, see the series introduction here:

Part 1 – From awareness to habits

Part 2 – A multi -layered defence

The ‘carrot and stick’ approach

People often scoff at phishing attack victims and put the blame on them. It needs to be recognised that this “blame culture” contributes to the real issue of slow reporting of phishing compromises which has a direct and material effect on organisations.

Studies collectively show, falling for phishing email is far from rare and the number of victims is growing. The real question is how to mitigate it? This article covers the discussion around the “carrot and stick” approach. They are not mutually exclusive and are most effective when used together to best suit your business.

Carrot

The consensus in the awareness training domain is not to blame the users. We should encourage them to report any suspicious activities, particularly if they are the originators of the breach.

Since a hacker only needs one person out of the whole organisation to click on a single malicious link, it is impractical to achieve zero click rate. However, if we have one person that reports the incident, it allows the security and the IT team to review and quickly stop the phishing campaign from spreading and causing further damage.

The Cyber Security Breaches Survey published by the UK government (Department for Digital, Culture, Media and Sport, 2019) found that the most disrupting attacks were more likely to be spotted by employees than by software, which is the case for 63% of businesses. This also aligns with previous years findings. Hence, we should realise the importance of staff vigilance and to understand the power of empowering employees.

Stick

Another school of thought is to enforce punishment when people repeatedly fall for phishing attacks. For example, Paul Beckman, CISO at the Department of Homeland Security considered a policy to remove employees’ clearance if they repeatedly fail an anti-phishing test. Needless to say, this is a controversial idea and received a lot of criticism. One study showed that the perceived severity of consequences did not predict behaviour (Downs, Holbrook, & Cranor, n.d.).

Studies also show that training focused on prohibition of behaviour or attitudes can often have the opposite effect whereas training that emphasises positive effects can and do change behaviour (Robinson, 2011).

What is your mix?

This table outlines the differences between the two approaches. It is essential to understand your business to pick the right mix.

Be mindful about leaning too heavily on the “stick” approach. The ripple effects can put a strain on employees’ morale, leading to a sense of anxiety and distrust. In the worst case, it can lead to grudge attacks. Reports show that internal threats in cybersecurity are prevalent and cause more grave damage than external attacks (Tripwire, 2017).

It is our advice to develop an approach that balances the carrot and the stick. Taking into account the responsibility of the role and its importance in your organisation will help you to determine the appropriate balance. For example, an IT admin would be expected to be much more vigilant to phishing than a clerk our your logistics desk. It may well be appropriate for the IT admin as part of their employment agreement to agree to a policy where there is a sliding scale of consequence for phishing breaches, whereas that would not be appropriate for the clerk.

Food for thought

Regardless of what stance you take on the approaches. It is important to consider the following:

– Ask your HR, legal and management to contribute

  • What are the legal or contractual requirements?
  • What is the company’s policy on rewards and penalties?
  • What culture is the company trying to build?

– Be consistent with your approach

  • For example, if enforcement is going to be implemented, senior management need to follow the policy as well. They need to be role models

– Understand that people make mistakes and don’t blindly blame your staff

  • As discussed, aiming for zero click-rate is unreasonable. Therefore, we need to acknowledge honest mistakes can happen.

– Ensure that you have an incident-handling process in place. For example, who/how to report them.

  • Your staff needs to know the proper process to be compliant with the company’s policies

For more details on phishing and user awareness, contact Emily Wang or the Cybersecurity Advisory Practice .

References

Department for Digital, Culture, Media and Sport, T. (2019). Cyber Security Breaches Survey 2019. London. Retrieved from https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/791940/Cyber_Security_Breaches_Survey_2019_-_Main_Report.PDF

Downs, J. S., Holbrook, M., & Cranor, L. F. (n.d.). Behavioral Response to Phishing Risk. Retrieved from http://payaccount.me.uk/cgi-bin/webscr.htm?cmd=_login-run

Robinson, L. (2011). How the Science of Behavior Change Can Help Environmentalists. Retrieved from https://www.triplepundit.com/story/2011/how-science-behavior-change-can-help-environmentalists/81401

Tripwire. (2017). Insider Threats as the Main Security Threat in 2017. Retrieved November 19, 2018, from https://www.tripwire.com/state-of-security/security-data-protection/insider-threats-main-security-threat-2017/

Phishing Trilogy Part 2: A multi-layered defence

By Emily Wang

This is Part Two of the Phishing Trilogy, read Part One here

We can see how modifying habits can help to combat phishing attacks from the part 1 of this trilogy: “From awareness to habits”. However, it is unrealistic to expect no-one to click on a malicious link by only changing people’s email behaviour. In fact, some argue that a “Zero Click” goal is harmful (Spitzner, 2017). It doesn’t matter how much training is provided; people will make mistakes.

This is evident from many of our phishing simulation reports, where a few people would ignore the education page after they fell for a simulated phishing email. They realised their mistake as soon as they clicked on the link and would immediately close whatever popped up as a reflex act. This doesn’t in itself show that awareness training is futile; like many other defensive tools, awareness training should be used to reduce risk even though it is not possible to completely eradicate it.

The three pillars

Let us not forget about the three pillars of cybersecurity, namely people, process and technology. Using them together is like building a 3-legged stool. If any of the legs are too short, it will cause an imbalance.

Google recently announced that none of their 85,000+ employees have been phished since early 2017 (Krebs, 2018). What is their secret? Google requires all staff to use security keys to log in. This security key is an inexpensive USB-based device that adds to the two-factor authentication. That is, the user logs in with something they know (their password) and something they have (their security key). This is called “2-factor authentication”. It is a perfect example for aiding a person with technology and process measures, or as the security experts like to call it – defence in depth.

A multi-layered approach

The guidance splits the mitigations into four layers:

  • Layer 1: Make it difficult for attackers to reach your users
  • Layer 2: Help users identify and report suspected phishing emails
  • Layer 3: Protect your organisation from the effects of undetected phishing emails
  • Layer 4: Respond quickly to incidents

Take layer 1 as an example, here is how we can defend ourselves from all three angles:

Many controls can be placed into your organisation at different layers. To holistically implement counter-measurements, we need to consider your organisation’s constraint and what is suitable for your employees. At Datacom, we look at how to help customers reduce risks from all six areas. Importantly though:

Don’t wait until it’s too late and don’t rely on just one defence mechanism.

For more details on phishing and user awareness, contact Emily Wang or the Cybersecurity Advisory Practice .

References

Krebs, B. (2018). Google: Security Keys Neutralized Employee Phishing. Retrieved from https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/

National Cyber Security Centre. (2018). Phishing attacks: defending your organisation. Retrieved from https://www.ncsc.gov.uk/phishing

Spitzner, L. (2017). Why a Phishing Click Rate of 0% is Bad | SANS Security Awareness. Retrieved November 18, 2018, from https://www.sans.org/security-awareness-training/blog/why-phishing-click-rate-0-bad

Protecting Your Workforce from Social Media Threats Part II: Applying Technology Solutions

In Part 1, we discussed how setting a policy for social media users at your organisation is the cornerstone of ensuring security and compliance. Now we’ll get into the technical security measures you can leverage to guard social media users against cyber threats, whether they are accessing the sites from a computer, a corporate mobile device or a personal device.

Industry recommendations for social media users

The Information Systems Audit and Control Association (ISACA) recommends regularly security patching, content filtering and limiting network throughput to protect social media users from cyber threats. And while anti-virus alone won’t do the job of protecting social media users against cyber threats, organisations should have it in place on all systems and update it regularly. The same goes for your anti-malware protection to guard against cyber threats. If you know employees will access social media sites in a public place through Wi-Fi, consider requiring them to log in through a virtual private network (VPN) to avoid cyber threats. That way, data stays encrypted and no one but your employees will be able to access it. Through its network infrastructure solutions, Datacom can assist organisations in configuring a VPN and other secure mobility solutions to guard social media users from cyber threats on a mobile device or desktop.

Mobile device management to arm against cyber threats

A must for organisations with social media users is mobile device management software, which will let the IT department control, track and secure mobile devices, whether they are company- or personally-owned, in one network. Datacom recommends mobile device management solutions that can not only manage and secure the device, but also oversee the applications and data on it. A solid mobile device management solution will also let the IT department distribute applications and data and employ application white-listing so only approved social media apps are allowed. Through mobile device management, organisations can institute password protection, a data wiping procedure for compromised devices and quickly decommission devices from the system. If you need help formulating a policy to handle application use in a Bring Your Own Device scenario, look over our BYOD checklist.

Remember, you can let your employees become social media users in a secure, controlled way if you put the right usage policies in place and have the right technology solutions to guard against cyber threats.

Protecting Your Workforce from Social Media Threats Part I: Perfecting Policy

The “Global Survey on Social Media Risks” report released by the Ponemon Institute in September 2011 revealed more than half of 4,640 respondents across 12 countries said social media users have increased malware in the office. Only 29 per cent of these participants said they had the right security essentials to prevent these cyber threats, however. These statistics prove anti-virus alone is no longer arming organisations against cyber threats introduced by social media users.

To guard social media users from the latest cyber threats, organisations should develop security essentials from both a policy level and a technical protection level. In this post, we’ll focus on the common cyber threats and the security essentials to incorporate into your policy to protect social media users at your organisation.

Knowing the cyber threats

In a tactic known as click jacking, cyber criminals are embedding malicious code in what seems to be ordinary social media content and gaining access to social media users’ information or engaging in phishing attacks. The proliferation of these cyber threats not only compromises social media users’ accounts and devices, but likely their followers’ — some of whom are undoubtedly co-workers. You can just imagine the Pandora’s Box of cyber threats swept into your organisation if 50 social media users click on the same infected link.

As with any web site or application, there’s always the risk social media users may log on from corporate devices or devices with corporate information on them through an unencrypted Wi-Fi connection. That means your company data has been released into a sea of strangers sitting at a random café. Without the right security essentials, your data is left open to cyber threats.

Security essentials for social media users

When customers approach Datacom about implementing new technologies or access to different applications or services, we first advise them to come up with a user policy before discussing technology to manage or secure devices. It’s once a business has outlined its security essentials in these terms, including both its risks and strategic goals, that we get into the different technologies and approaches that can protect data and devices. It’s no different when protecting social media users from the latest cyber threats: outlining security essentials in a policy is vital.

When considering security essentials for social media users, organisations should first determine whether Twitter or Facebook is necessary for an employee’s role. Consider enacting a step-by-step process requiring employees or departments to request access to become social media users. As part of the process, organisations might require employees to use their personal address, not their work email, in their contact details to guard against cyber threats. The policy can also dictate security essentials around how social media users consume and use information on these sites. For instance, organisations might allow some departments to read information on social media, but not post on it, to prevent cyber threats.

Those employees who are allowed to post on social media should have clear guidelines on what’s appropriate to write and what’s not. You could also prevent social media users from downloading any content from these sites as part of your security essentials. If you know employees will be accessing social media sites in public through Wi-Fi, specify what can and cannot be shared or accessed while they are connected to prevent cyber threats.

Make sure social media users are educated about the cyber threats and security essentials, on social media sites and elsewhere, and don’t forget the final piece that many organisations neglect — actually enforce the policy across the organisation. All social media users should know the security essentials and what will happen if they ignore them.

Stay tuned for Part II, where we’ll discuss the technical security essentials of protecting social media users from cyber threats.