Attackers have learned to appeal to the human element of information security. Here is one story of a situation where the human element is exactly why a CFO lost $1.5 million for his organization while on vacation.
One day, a wire request was sent by email, supposedly from a CFO to (1) an employee where this CFO banks and (2) the secretary of the CFO. The CFO was on vacation (according to their very public social media posting) and their secretary didn't want to bother them, but there was one issue: the CFO was the only authorized approver for wire transfers at their organization. The secretary wanted to be helpful and asked for the wire to be expedited. The bank complied since they knew the CFO and could see from social media that the CFO was busy on vacation. As soon as the wire was sent, the CFO reached out to the bank to say that they did not authorize the wire. But it was too late. $1.5 million was gone and eventually jobs were lost and reputations were hurt. The attackers spoofed the CFO's email and waited until their social media posts indicated they were away from the office. Yikes!
According to Verizon's 2021 Data Breach Investigation Report, 85% of breaches involved the human element. Additionally, 36% of breaches involved phishing, which is up 11% from last year.
The Cybersecurity and Infrastructure Security Agency (CISA) is encouraging a "shields up" position as cyber warfare continues to create a threat to businesses, including financial institutions and other critical infrastructure organizations, across the country. See the CISA critical infrastructure list.
The best shields up position is a security conscious culture among your employees.
Recognize Your Most Valuable Assets: Your Employees
It only takes one click on a phishing email to cause an immense amount of damage to an organization. We can implement multiple hardware and software controls for layers of security to create a defense to help mitigate the risk of a cyber-attack, but the best defense is of the human element.
Consider that your employees are your most vulnerable, most volatile, and most valuable asset. Attackers know this, and your employees should too. As your most vulnerable asset, they need consistent and frequent training. As your most volatile, they need to be empowered and encouraged. As your most valuable, they need to be enriched as a knowledge investment.
Your employees play a key role when it comes to cyber resilience.
Does your team know that?
If not, it's time to empower them.
Build a Defense: Encourage a Security Culture
You can build your first line of defense against cyber-attacks with consistent and frequent security awareness training. The more your people learn, practice, and understand their role in your defense strategy, the better protected your organization becomes.
A culture of security awareness is more than just training; it is an attitude that we are all in this together. In other words, your whole team is on guard to defend your organization from outside attacks.
In order to help frame a mindset of putting our shields up together, you can help foster this culture with your implementation of effective security awareness training techniques.
Perspective: Train, don't just Test
Phishing emails are tricky, which is why they work. Starting with a belief that all people need training and reminders helps keep everyone on an even playing field. Your new recruits, your seasoned IT experts, and your board members should all receive frequent training to keep their skills top of mind.
Test their skills with the goal of learning where they need more education. For example, you may send a simulated phishing attack and 14% of your targeted group fails the test. By keeping your perspective, you can inform, encourage, and educate as part of your campaign. Without calling anyone out, you can inform your group of the recent campaign, let them know the results, praise those who reported the email as suspicious, and provide a reminder about what clues and tactics gave the email away.
Proactive: Skills before Drills
Create a system for reporting suspicious emails and give your team an easy way of using it. Our information security committee at CoNetrix developed a simple system that starts with a dedicated email and a testing machine. When a CoNetrix employee receives an email that looks suspicious, they can send the email as an attachment to the dedicated email address for testing in the dedicated environment.
For those that do not have a one-click button to report phishing, it's hard to remember how to report a phishing email when you only do it every once in a blue moon. You can create your own phishing report button through Microsoft Outlook's Quick Steps. Because we already use Outlook and our people love efficiency, one of our team members created a tutorial for using Outlook Quick Steps to make it fast and easy to correctly report a phishy email for the good of the team. By setting up Outlook Quick Steps, employees take five minutes up front to address future suspicious emails in five seconds or less.
Perceptive: Remove Blame and Shame
According to Verizon's report, "The majority of Social Engineering incidents were discovered externally. […] When employees are falling for the bait, they don't realize they've been hooked. Either that, or they don't have an easy way to raise a red flag and let someone know they might have become a victim. The former is difficult to address, but the latter is simple and should be implemented."
Most people want to keep their jobs and the security your company provides for them and their families. If an employee inadvertently clicks a phishing link, you want them to feel safe about reporting the accident, without incurring ridicule or harsh retribution. It's better for your incident response process to get information about a potential breach right away rather than incurring a network take-down.
If an employee clicks on something and then after-the-fact decides it may have been something dangerous, they should feel safe to report the phishing email and report the fact that they clicked. They should not expect humiliation.
Continue to Reinforce the Basics
We all need reminders. Consistent, frequent, ongoing education can help your team recognize a phony email, quickly deal with it, and move on. By encouraging and reminding with an attitude that preserves the dignity of your employees, you can build a workforce that wants to protect your organization.
Thought prompt: What are some things you do to encourage a security culture?