Just before Christmas, GoDaddy employees were instructed to complete a form to receive their $650 yearly bonus, or so they thought. Staff who clicked the email attachment were rewarded instead with a decidedly unfestive communique, informing them they'd failed a phishing test, and were told to retake security training.

Cruelty notwithstanding, there was a sliver of reason to the ploy: 94% of all cyber attacks use email, and phishing accounts for over 80% of reported security incidents. Put simply, phishing is low-effort, high-reward, and very, very common.

It's clear more needs to be done to adopt a proactive mindset for phishing detection and response. Cyber leaders have banged the phishing drum for years, yet the problem remains, suggesting the greatest threats are inertia and apathy.

"The age of awareness-raising of the cyber threat is long past - there's no excuse for not being aware of it, and I think most people are," says former head of the NCSC and managing director at Paladin Capital, Ciaran Martin. "The problem, and I'm sympathetic to business leaders on this, is not knowing what to do."

The age of awareness-raising of the cyber threat is long past - there's no excuse for not being aware of it

There persists a feeling among SMEs in particular, says James Sullivan, head of cyber research at RUSI, that they may not be the likeliest targets. This misconception can prove fatal: successful attacks cost an average of $200,000, making small businesses especially vulnerable to obliteration. And because supply chains are so intertwined, anyone is fair game - while an SME may not be the grand prize, their customers or partners could prove bountiful.

Professor Deeph Chana, co-director at the Institute for Security Science and the Centre for Financial Technology, both at Imperial College London, suggests a clearer conception of the nature of our interconnectedness would help: "It's very easy not to examine that, but it starts making you realise the risks your insecurity might bring to other people. That would start making sure people were a little more careful about where they store data and the kinds of tools they install."

One solution is elevating cyber into the realm of general business risk. Leaders are expected to understand complex matters such as commercial law or pension liabilities, but often baulk at technology, says Martin, so they'd do well to demystify cyber for themselves and strive to be a "little bit more technical". Part of elucidating these technicalities could be getting more familiar with the basic principles around network and compute - the "under the hood" stuff, says Chana, that will help leaders better formulate their cyber risk equations.

Risk management, adds Sullivan, is the process of identifying threats in a particular context and taking action to prevent or reduce them. You're "never going to completely eliminate the risk" of successful phishing attacks, he says, and that is generally true for many things in the complex, multifaceted, technology-dependent digital world.

To push back on inertia, then, organisations should set a realistic risk tolerance, a level of acceptable risks, and develop mitigation methods.

That means investment in technology and training, and leaders should understand that this is just the cost of doing business in the 21st century. Adopting a proactive culture at the leadership level will permeate organically throughout the organisation, adds Sullivan.

Technology is only one part of the equation, so while it's critical that technical controls such as secure email gateways, firewalls, and multi- factor authentication are instituted and properly configured, executives must also implement a high-level cyber risk strategy that includes training and reinforces a continuously vigilant culture - viewing all this holistically as an ongoing process, rather than a one-off, box-ticking exercise.

One approach, suggests Chana, could be onboarding employees with short training sessions surrounding risk - to understand how organisations manage, perceive, and analyse risk.

"It's something everybody could cover during their induction," he adds, "something that you could be made aware of formally. That could be a way of really helping, and then maybe making cyber become one exemplar of those kinds of risks."

That said, businesses should endeavour for balance: it's undesirable to enclave cyber as the sole consideration of the security team, but the buck can't be passed to staff either. It's the purpose of technology to take the bulk of responsibility away from most employees, who just wish to go about doing their jobs. Especially in the year of home-working, says Martin, security procedures should be easy to follow - if they're not, users will find insecure workarounds.

"The least appropriate, most useless and counterproductive phrase in cybersecurity is that 'people are the weakest link'," Martin says. "Never, ever, ever say that to your staff. It's like saying, 'that football team would be great if it wasn't for the players'."

Many organisations are struggling to recruit cybersecurity professionals. Aaron Higbee, chief technical officer at Cofense, and Tonia Dudley, strategic advisor at Cofense, discuss how to upskill your employees so they effectively become a human firewall.

Given the cybersecurity skills shortage, what can companies do to develop skills within their employee base? We’ve heard the expression ‘human firewall’ – can you explain a little bit about what that means?

Aaron Higbee: Phishing is the number one way in which organisations are breached today. Once an attacker is frustrated by state-of-the-art filtering, they’re going to come up with a new tactic or technique to get a malicious email into an employee’s inbox.

So eventually, an employee will be staring at a dangerous email. How can we get them ready to recognise it? Then, how can we get them to report something that’s suspicious? And then get a security team to look at those suspicious emails?

So, one of the things that we believe deeply in is the use of phishing simulations. Attackers, regardless of the tactic – maybe a trick in a URL or changing a 'from' line – still use emotional triggers: fear, reward, urgency. We are trying to get employees to think, "huh, this is weird. I don’t know what this is, but I’m going to click that ‘report phishing’ button."

So, the human firewall is getting people to have that mindset, to click that 'report phishing' button, so that they can survive phishing campaigns that do make it past their technical controls.

How much do you think COVID-19 has exacerbated the problem?

AH: It’s a perfect confluence of problems. More companies are using cloud platforms to facilitate working from home. They might have been already testing these out or have had pilots in place before COVID, but they had to fast forward a lot of these plans. Traditionally you would have some user acceptance testing and a more methodical rolled-out approach, but now it’s all hands on deck.

And it’s made even worse by the fact that attackers use huge world events to get people to click emails. Attackers are using that theme of COVID-19 to get people to open dangerous emails. It’s made more challenging by the fact that the IT world wasn’t necessarily ready to fast track their move to the cloud. So, it’s been a challenging 12 months.

Can you provide any examples of how a phishing simulation system might typically work and any customers using the technique?

Tonia Dudley: Yes, this is indeed being used by many customers. In fact, phishing simulations from Cofense, and the tools we provide around it, are used by many enterprise businesses and large organisations. Most of them have realised that their existing infrastructure-focussed solutions do not stop all threats, and it is critical to bring into play that final safety net - the human threat detection layer.  Indeed, some are realising that their secure email gateway is very much a single point of failure from the perspective of phish detection.

One of our customers is a top three global insurer. They’re working with us to condition their users to keep the risk of phishing front and centre in their minds. Also, to help them recognise evolving tactics and techniques, and then fundamentally rehearse the behaviour they want those employees to exhibit in a real attack situation.

Phish testing is the enemy of phishing defence, so the goal of phishing simulation is not to 'test' users but rather to enable them to identify the threats that technology has missed. We want those end users to be human sensors within the environment. So, when they see emails that they think are suspicious, they click that report button. That email comes into our Phishing Defense Center (PDC) and our teams of analysts will do the prioritisation and analysis of those threats. We turn that data into actionable intelligence that we deliver back to that organisation’s security team to enable them to effectively respond. 

In December, those well-trained human sensors enabled that organisation to identify just over 1,500 threats in their environment. All of those threats were identified by the end user and zero were stopped by any technology that the organisation had in place to protect their end users, because every one of those threats was reaching the inbox.

The goal of phishing simulation is not to ‘test’ users but rather to enable them to identify the threats that technology has missed

So, that’s why the human element is so important?

TD: There are two fundamentals that every organisation has got to accept. When it comes to phishing, they’ve got to accept that bad stuff is going to get through. No technical control is ever 100% effective. And we know that threat actors are constantly evolving and innovating their tactics and techniques to defeat the controls that organisations have in place.

The other thing is that you can’t stop every user being susceptible to every threat, every time. You’ve got to get visibility of those threats that you’re otherwise blind to, to be able to do something about them. It’s about almost evolving from that human firewall to being like a human-based intrusion detection system.

What is the impact of reporting – how can organisations effectively manage inbound reports?

TD: Now you’ve got this highly tuned network of human sensors that are doing a great job of identifying stuff that just doesn’t quite look right - essentially identifying threats that technology has failed to stop. They then report it with a button that sits within the email client. All those reports start going into the organisation’s security teams. And that can be a lot of email – in our PDC, we would expect over a month, on average about 260 emails to be reported per 1,000 employees, so about a 26% reporting rate. When you start getting up into bigger enterprise organisations that’s a lot for security teams, who are already overwhelmed with alerts, to deal with.

Around 10 to 15 percent of the emails we see have some form of bad content. The flip side is that 85-90% is just noise, it’s false positives. So, this is noise that those security teams have then got to be able to cut through quickly to find the bad stuff, and that can be a challenge. At Cofense we’re giving them the ability to cut through the noise, find the bad stuff quickly, and take rapid and decisive action to contain those threats.

AH: Also, one thing that didn’t help the industry has been asking employees to send suspicious emails to a spam alias. For years, we've been clicking the junk button, and nothing happens. It’s not telling the security team "I think this email is dangerous". It just goes into a spam folder. The feedback is so important and customers that respond, even if it’s automated, are getting a higher engagement from employees are more likely to continue to report.

TD: Additionally, it’s about not just relying on your own employees. You want to be able to tap into the capabilities and intelligence of employees that exist within your peer organisations, or other organisations in your industry.

One of the benefits of our PDC is a network of customers benefiting from a threat that was identified by another customer already. We recently did a proof of concept with a large finance organisation and in just over two weeks there were 50 occasions where this organisation reported threats. On 45 of those 50 occasions, other customers had already reported that same threat. So that means we can respond much faster because we’ve already seen it. On five occasions this organisation was the first to report threats, so they contributed to that network effect.

So, you don’t have to do it all on your own, you can benefit from the skills and experience in other organisations.

From: a.threat.actor@thisisascam.com

Subject: Urgent information included inside

Dear Security Leader,

Hi, it’s Karen from payroll. We are experiencing some technical difficulties and there will unfortunately be a delay in payments this month. Please click on the link below for updates.

Would an email like this make you stop and think for a second? Would you be tempted to click on the link, just to double check you’re going to get paid on time this month?

If so, I’m afraid it’s likely you’ve just fallen victim to a phishing scam. And it’s one that could cost you dearly. Let me introduce myself. I’m a threat actor and I target businesses like yours to steal personal or sensitive information, such as account passwords, login details and credit card details.

So how do I do this? The devil is in the detail. Threat actors like me will do our research on you, the target. That might be your role, your colleagues, your relationships, as well as what systems your company uses. This forms the basis of the bait content, and by using similar domains to familiar organisations, and closely replicating their website design, I can often trick you or your employees into giving out your sensitive data.

You see, the bait needs to be just enticing enough to lure clicks, but not too obvious. We want to exploit the human nature of urgency by sharing something that concerns you, information you weren’t supposed to see, or encouraging you to act quickly under time constraints. I’ll let you in on a secret: anything suggesting sensitive information has been sent by accident (for example, the latest bonus figures), or urging quick action, should ring immediate alarm bells!

COVID-19 has also created a perfect opportunity for people like me, as we often leverage global events and crisis to target potential victims. The coronavirus is no exception – there has been a huge increase in phishing attacks since the pandemic started, as phishers look to exploit the uncertainty and fear that people are feeling. If an email offered to provide information on safety measures, provide a list of cases in your area, or arrange for financial assistance from the government, would you be tempted to chance a peek?

We’re also leveraging peoples’ current reliance on video by registering domains posing as Zoom, Microsoft Teams, and Google Meet-related URLs. With more people using these video conferencing services during the pandemic, the domains can be used to potentially trick people into downloading malware or giving us access to personal information.

You see threat actors like me are always coming up with new and innovative attacks. For example, the Emotet botnet came back with a vengeance with updated payloads that helped it avoid detection both by victims and network defenders. Prior to the disruption operation directed at Emotet, the hackers behind it were sending more than 100,000 emails a day.

Another modern phishing method is consent phishing. This sees threat actors develop malicious applications that ask users to grant access to data of other trusted applications. You see these kinds of consent pop ups all the time, right? But by being a relatively new take on classic phishing, users don’t take the same care when deciding to grant an app access to their data as they do email links or attachments.

Unless both you and your employees are vigilant to phishing scams, you could become the next victim

I might also look for weaknesses in your organisation’s infrastructure. For example, perhaps there is a hole in the configuration that could allow payloads to bypass expensive security filters, or the correct records have not been configured to defend against spoofing. In some instances, I may send some probing emails to see target mail server responses and look for useful information like mail filtering or anti-virus version information in signatures.

So, how can you a step ahead of people like me? Firstly, don’t be too confident that your advanced threat protection handles everything, or assume it’s taken care of by your cloud-based SaaS provider. While providers often conduct their own penetration tests, it’s still crucial to ensure other protection is in place. This means checking the user is assessing their account or tenant configuration against industry security standards, and implementing security guidelines, like least privilege models or multi-factor authentication (MFA), to protect against attacks like credential phishing.

However, successful phishing attacks are designed to provoke an emotional reaction, so phishing is a human issue as well as a technical challenge.

Make sure you are training your employees on phishing awareness, and that they have a quick and easy way to report suspicious emails. You can also run fake phishing attempts across the organisation to see how effective the training has been – I’m sorry to say, an employee learning a lesson after falling for a fake phishing attempt is much more powerful than listening to training regarding phishing.

The fact is, with so many employees now working remotely, there has never been a greater opportunity for phishers like me. Unless both you and your employees are vigilant to phishing scams, you could become the next victim. And trust me, I’m out to get you.

Kind regards, A Threat Actor

With many thanks to:

Mike McGrath, Penetration Tester, Bridewell Consulting Jed Kafetz, Head of Pen Testing at Redscan

Callum Carney, Red Team member at Synack

Today most organisations accept that remote working is here to stay in some form, with nearly half of companies saying they intend to allow employees to work remotely full time going forward.

With this realisation comes the need for formal cybersecurity education and training for employees. This is particularly important with phishing attacks currently at an all-time high – across Europe there was a 667% increase in phishing scams in just one month during the COVID-19 pandemic.

“Criminals are more than willing to exploit emotions to reach their targets – for instance by preying on peoples’ fears during the pandemic – and it’s a lesson security teams need to learn,” explains Melanie Oldham FCIIS, CEO of cyber security awareness training firm, Bob’s Business.

But with questions over the effectiveness of traditional cyber training methods – one report notes that phishing awareness training wears off after just six months – what’s the best way to approach cyber education for employees? Particularly when in-person training is off the table?

Not the weakest link

Usually baked into cyber awareness training is the belief that humans are the weakest link in a company’s security posture. However, CybExer Technologies’ board member Rainer Saks argues that employees are actually the most important link in the cyber security chain.

“As a first step, we need to learn how to transform our employees into a human firewall,” says Saks, a former director general of the Estonian Foreign Intelligence Service who worked with the Estonian Government on its employee cyber awareness programme. “They need to understand that every one of them has an important role to play in defending against cybercrime.”

Technology cannot provide all the answers, so firms must shift employee behaviours towards a culture of reporting threats

Saks says the most critical aspect of teaching cyber awareness is putting yourself in the shoes of the employee. “Why do employees behave the way they do? Why do they sometimes take huge cyber risks? Is it laziness, carelessness, necessity or habit? We have discovered that people do not expect entertainment from these courses. They are actually looking to contribute, discuss and think, once they see you are not condescending or preaching to them,” he says.

Storytelling

However, some organisations are thinking outside the box when it comes to cyber training. VIVIDA creates immersive cybersecurity training experiences for cybersecurity, with customers including Sky, Lloyds Banking Group and Barclays. The company recently got Sky employees to go on a date with a cybercriminal that was trying to glean information for phishing attacks. It has also created a Dark Web Mission Control Centre through the eyes of an agent that has infiltrated a hacker’s lair.

“These kinds of experiences are a far cry from the usual cybersecurity training modules, and have storytelling at their core, which naturally draws people into an experience that they recall and action as habits, instead of just clicking through as fast as possible,” says Simeon Quarrie, VIVIDA’s founder and CEO.

“As a company, we hire scriptwriters, musicians, voice artists, designers, animators and film-makers. This is key to creating learning experiences that tell a relatable story to employees, enabling them to retain information much better.”

Elsewhere, on the customer side, Standard Chartered uses gamification for its cyber training, including simulated phishing attacks. 

Scenario-based assessments, such as phishing simulations that test understanding are more engaging and useful than memory recall tests, says Ellie Warner, global head of cyber training and awareness at the bank.

“As an example, Standard Chartered runs webisodes competitions, where employees vote on one of two endings as they try to protect the bank. Depending on how people voted, they either succeeded or failed in preventing the cyber villains from hacking the bank. This campaign resulted in more participation in that than any other the organisation has run, with about 15-20% of the bank taking part.”

Ultimately, it is important that organisations adopt a holistic approach to phishing detection and response, to embed it into their overall cyber strategy rather than viewing it as a single component. Technology cannot provide all the answers, so firms must shift employee behaviours towards a culture of reporting threats.

Developing a culture of understanding, awareness and reporting is key in your fight to protect your IT infrastructure.