Business security should focus on reporting, not perfection
31 MAY 20170
More and more businesses are becoming aware of the threat phishing emails present to their networks. That's the good news. The bad news is, many of them are responding in the wrong ways.
One of the most popular tactics for security conscious teams these days is a "phishing awareness exercise.” Much like hiring professional thieves to test your new security grid, an orchestrated phishing exercise is an attempt to try and phish your own employees to test readiness and security. Not a bad idea on its own, but easy to mess up in implementation.
For one, tests like these are expensive and time consuming to coordinate. Fake phishing your own people isn't something you can do overnight and is rife with the potential for distrust and backbiting when exposed. But more than the expense, the goals and techniques of these tests are often poorly positioned.
The brass ring of many IT departments is "0 clicks.” They feel they've done their job right when a test can be conducted and nobody, from the desk clerk at reception, to the CEO in the cushy corner office, clicks on a phony email. To accomplish this, they'll dump money into automated phishing-detection systems, implement punitive measure for anyone who does click, and, inevitably (after one failed round of testing after another), "relax” their internal tests to the point where they can claim "0 clicks,” making the entire process worthless.
Why do I say inevitably? Because in a large business it is impossible to prevent 100% of phishing attempts. Week after week we see news of top security professionals, government agents trained on counter-espionage techniques, and major tech-companies breached by sophisticated phishing scams. How can we ever expect average office workers, regular people trying to get through another hectic busy day of work, to succeed where these professionals have failed? We can't. It's unrealistic.
Instead, the priority shouldn't be placed on chasing some fantasy goal, it should be shifted to reporting and response.
Yes, it only takes one inattentive click to expose an entire network to a phisher, but just as often, it only takes one swift moving employee to report a suspicious mail to shut down the threat. You can spend tons of money on automated systems that try and identify phony mail as they come in, but at the end of the day, the best response system to social engineering scams will always be employees who let you know when they are being targeted.
This is why its important to structure security training around a constructive ethos, instead of a punitive one. When phishing tests are used to single out, humiliate, and even sanction individual employees, that's not training, that's a witch hunt. All you're going to do is make people paranoid and jumpy. They'll second guess themselves even reporting a potential phish out of the simple human instinct to keep their head down.
If the need for additional training is apparent, it should be done in an empathetic, hands-on way. This needs to feel like a team-effort, not being called to the carpet for a mistake. Be clear about the goals of any phishing exercise, that you're not out to "trick” or embarrass anyone, that it is about a group response to an external threat. Always be sure to pay more attention and focus on instances where employees successfully identify a phishing scam and report it than times where somebody blew it.
Be realistic and up-to-date with your training. Many employees are still under the impression that most phish attempts are crude, riddled with punctuation mistakes, mis-translations, and obviously false email addresses. This isn't necessarily the case anymore, especially with targeted spear-phishing campaigns that attempt to use information about a company against itself by blending in with regular mail.
Stress the importance of timely reporting. Whether they see that a phishing email has made it through the filters you've established, or they fear that something they clicked on might not have been authentic, they need to know you want to hear about it and they'll be safe telling you. This means procedures for reporting must be in place and there should be a stated understanding that an individual employee will not be punished for reporting a mistake.
This also means your IT people need to be approachable. The day of the aloof, quietly smug and superior IT department is over. Infosec is a human business, you need professionals that can project openness and empathy so employees are comfortable coming to them with potentially embarrassing mistakes they've made or edge cases where they're not sure.
Don't dump money after tech solutions to phishing and crater morale with unrealistic standards or draconian punishments. Response and reporting is a team-effort that can be successfully accomplished with the right training, attitude, and follow through.