Phishing: Don't Let Employees Fall Hook, Line, And Sinker

Phishing isn’t simply a threat to business, it’s the number one delivery vehicle for ransomware and other malware. More and more organizations are falling victim to phishing attacks – 85 percent of organizations suffered one last year — and the average costs to a company hit by a successful spear phishing attack is more than $1.5 million.

Worried yet? If not, consider the following:

• 97 percent of people around the world cannot identify a sophisticated phishing email
• 30 percent of phishing messages get opened by targeted users and 12 percent of those users click on the malicious attachment or link
• only 3 percent of targeted users report malicious emails to management
• after a company is breached, 60 percent of customers will think about moving and 30 percent actually do
• one-third of consumers said they would stop dealing with a business following a cyber-security breach, even if they do not suffer a material loss

The first step in beating the odds is arming yourself with knowledge. To that point, Scott Barlow, Vice President, Global MSP at Sophos, took time to speak with Business Solutions about what phishing is, what you should be doing to help your customers manage it, and more.

Q: What is phishing and how does it differ from other targeted attacks?

Barlow: Phishing is a highly-successful cybercrime and one of the most common attack vectors for hackers because it targets the weakest link in any organization; specifically the end-user. Unlike other forms of attack, a targeted phishing campaign takes advantage of the natural curiosity of an end-user, making them highly susceptible and providing an adversary the opportunity to either harvest credentials, infect with ransomware, or deploy other malicious code designed for lateral movement across an organization. Phishing usually comes in an email, but it can also be a phone call or other electronic communication method and affects businesses of all sizes. The problem is not unique to any particular segment or vertical market. Given the attacks prey upon the natural susceptibility of end-users, all organizations are subject to phishing.

Q: What damage can phishing do to a business?

Barlow: When it comes to phishing’s repercussions, the worst case scenario is hackers are looking for and find something very specific; the best case is an attack is random. Either way, any breach has the potential to create business-crippling consequences should company, customer or partner information be leaked to the dark web. According to a 2016 FBI Business Email Compromise (BEC) report, phishing (and its variants spear-phishing, whaling, etc.) is part of a growing cybercrime industry which has reached a staggering $2.5 billion worth of damages since January 2015. An average spear phishing or targeted attack has been cited costing an organization on average $1.6 million according to a CloudMark 2016 data-point.

Q: What percentage of resources and security efforts should be focused on dealing with phishing?

Barlow: An effective strategy against phishing should employ a layered approach. Leveraging effective email and web security protection provides “time-of-click” safeguards for URL links in email attacks, as well as spam blocking and sandboxing techniques. Every organization should employ a next-gen endpoint solution to ensure exploit- or ransomware-based attacks are stopped as a last line of defense.

In addition, companies need to address the weakest link — human behavior. End-users play a critical role in the overall security of an organization by simply being more cautious and discriminating when it comes to responding to their email. By identifying the signs of a phishing attack and erring on the side of caution, end-users can help prevent a large percentage of malicious code or targeted attacks from occurring.

Training and testing on common phishing techniques and samples should be conducted on end-users to help improve security awareness and infuse a culture of security consciousness within the organization. Most companies offering employee security training focus on the assessment, education, and measurement of the effectiveness of raising awareness. However, that’s not enough—security training needs be made a part of the security ecosystem.

Q: Is training and educating end users enough to negate phishing attacks?

Barlow: While many organizations create their own security training and/or leverage the services of an outside vendor, they usually lack the deep understanding of security best practices and proficiency with the rapidly evolving threat landscape. Many organizations leverage third-party training to help with their business application training programs, but while these vendors may also include “anti-phishing” training, many don’t provide a simulated attack methodology that mimics real-life and real-time phishing exploits critical to help reinforce any training.

Q: Sophos Phish Threat, your latest training solution, “Tests, trains, and analyzes human vulnerabilities.” How does it do this and why is it important?

Barlow: Sophos Phish Threat is predicated upon testing the vulnerability of an end-user to a set of phishing attacks. It does this by launching a simulated attack for basic phishing, credential harvesting, or attachment based emails. End-users who click on the simulated attack are immediately informed that, in the event of a real attack, company resources might be compromised and then provided a short but effective training module. The role of training is not to make security experts out of end-users, but rather, through progressive and positive reinforcement, create a more savvy and discriminating end-user who can help increase the overall security posture of an organization and instill a culture of security.

Sophos Phish Threat identifies risky user behaviors and provides recommendations for network access, additional security software, or different configurations. The entire process is automated, meaning the IT organization can focus resources on remediating actual security incidents or adding value to the business. As attacks change with current events, seasons, and attacker methodologies, Phish Threat also constantly updates attack strategies providing you with an even higher bar for end-user training.