For many years, phishing has been the most successful way to hack into an organisation. According to Fortinet, 90% of the malware are distributed via email. Phishing is how Maastricht University was hit by ransomware, and as a result of which the recent bitcoin scam took off on Twitter. Hence, considerable damages can be inflicted when access is gained via an employee. It does not only regard the direct costs due to unavailability of or damage to systems, but the reputational damages are also considerable.
The risk that phishing also impacts your organisation is realistic. A survey conducted by Cisco in 2018 shows that 93% of the more than 2,000 interviewed security experts in Europe had experienced a cyber-attack. In a survey conducted by Carbon Black amongst 251 Dutch CIOs, 100% indicated to have had a data breach. These are numbers that make a strong statement, and that requires immediate action.
It is also logical that attacks take place via employees. Employees have access to a network; the security measures have been set up in such manner that they can download and that they can receive emails. The preconditions have basically been met; hence, as an attacker you can, with some deception, make use of this relatively easily.
Whether it regards phishing or another form of deception, as an organisation you want to limit the cyber-security risk to a minimum. This can be done in two ways:
- Limit the chance that something goes wrong.
- Limit the impact when something does go wrong.
There are, roughly, two methods to prevent an attack from starting through deception of an employee:
- Train your employees so that they recognise phishing and other forms of deception.
- Take preventive measures.
Training employees once can already make a big difference. But, as with every training, the course material slips the mind if you do not work with it on a regular basis. That is why a continuous learning process is important. You do this with varied course material and test moments, or in more professional jargon, awareness training, and assessments. The most common methods are e-learning and phishing simulations. Like fire drills, training sessions and evaluations in the area of cyber-security should be part of a resilient organisation.
It would be wonderful if training sessions would be 100% effective to prevent deception, however because there is an earning model behind it, the methods of attack also become ever shrewder. This means that, as an organisation, you do not only start training employees, but you also take the next step: you start protecting the employees. We have actually been doing this for years with virus scanners, but Trojans and bots become ever better at circumventing them. That is why it is important to also select good end-point protection. Not just Avira or AVG, but more intelligent tools that do not just review signatures but also behaviour. Examples are FireEye HX, VMware Carbon Black en Microsoft Defender ATP.
Prevention is better than cure, but if this would always be successful, then we would only have pharmacies and no hospitals. This is also the case with cyber-security. Of course, you try to prevent as much as possible and to limit the chance, but what if something does go wrong? You also think about that, preferably before an incident takes place; after all, measures can also be taken for that. Because these measures depart from the situation that an attack has already taken place, they are the mitigating measures. They limit the impact of an infection on your business operations. By recognising malicious traffic, e.g. command & control traffic, you can take action. Think about the isolation of a device on a network with Tesorion Immunity or discontinuation of all the network traffic except for permitted ‘normal’ actions, as done by Darktrace Antigena.
This article explained possibilities of making your employees more resilient, both in the area of awareness and from a technical perspective. This way, you cover one of the most frequently used attack vectors. With a structured patch policy, insight into potential vulnerabilities, and a correct set-up of authorisation structures, you make it very hard on malicious parties. In the next blogs we will address these factors in more detail.