Posted on March 11, 2014 by David Levine Guest Blogger (view posts by author)
Just one click… That’s all it takes and your data and or PC is compromised! You may have the best security and policies in place but if users aren’t aware and trained to spot suspicious email you will be “hacked”.
In my role as Chief Information Security Officer I am frequently asked “why can’t you just block the bad email from getting into the network in the first place?” Great question. I can tell you it can be extremely difficult for systems like SPAM filters to discern email containing malware or links to malicious destinations from good email. Don’t get me wrong. They do a fantastic job of weeding out 100’s of thousands of bad emails, but when done right, those malicious emails look no different than legitimate email… it takes a trained eye on the part of the user to spot the good from the bad.
Cybercriminals have the resources and take the time to make phishing and spear-phishing emails look legitimate. With spear-phishing they use social engineering – researching social media and other publicly available online sources – to profile high value targets and personalize bogus emails. Broader phishing campaigns may engage partners in crime to conduct high volume mailings, but very realistic looking emails will invariably hook a significant number of users who will download a malformed spreadsheet or click on a link to a fraudulent website.
Make no mistake, phishing and spear-phishing works. RSA recently reported that in 2013 there were nearly 450,000 phishing attacks and estimated losses of over $5.9 billion.
If they want in bad enough they will find a way in. But an ounce of prevention in the form of employee security awareness training is well worth the pounds of cure (read millions of dollars). Your users may very well be one of – if not the most important components – of your security eco-system.
I have found that one way to help turn the tables is to use “controlled phishing” to our advantage. Controlled phishing is now considered a best practice and in use at many organizations. It has the dual benefit of raising employee security awareness, just where you need it, and can help you measure how vulnerable or effective you are at detecting potentially harmful emails.
There are several solutions/tools out there that allow you to securely “Phish” your user population. You can typically choose from a wide variety of templates and levels of difficulty, ranging from it should be really easy to tell it’s a “bad” email, to you really need to very carefully inspect the email to determine it’s bad. The tools also allow you to track important metrics including; How many users simply deleted the email and took no action; How many users viewed the email but did not click on the link; and of course how many did click on the link.
For our users that do “fall” for the phish they are presented with a web page letting them know that this was a Ricoh sanctioned test and had it been real they would have been compromised. They are also presented with tips and tricks on spotting malicious email, providing for a quick teachable moment. We also deploy short interactive training modules on email security to re-enforce the concepts.
Some companies do this covertly while other are open with their users about the phishing, in some cases making it a contest between departments or divisions to see who has the lowest “click” rate.
There is no right or wrong approach, but the more interactive and fun you can make the training the better; and clicking on the email should never be used for punishment. It’s also a good idea to reinforce that these skills are just as important in their personal lives as they are in the office.
Since it takes only one click in an email to give the bad guys access, I believe the training we have conducted at Ricoh has been a key component of our overall security program. It makes good sense to go phishing!