Monday, January 23, 2017 By Kevin Beaver, IANS Faculty
As we've all heard and, as many of us have learned, email phishing is no joke. Given the numbers we've seen in various ongoing studies and the gigantic breaches that were initiated by email phishing in recent years, phishing is arguably the greatest risk that enterprises face today.
In my experience, more and more businesses, nonprofits and government agencies are integrating email phishing exercises into their security awareness and training programs. However, I'm seeing many security organizations approaching email phishing awareness the wrong way, and it’s not good.
More and more frequently, I'm seeing IT and security managers perform their internal email phishing awareness testing using more traditional phishing emails. By "traditional" phishing emails, I'm referring to those that we are all accustomed to receiving, such as those purporting to be from PayPal, Wells Fargo, UPS and the like.
The people I'm speaking to who utilize these types of emails in their phishing campaigns are telling me that they're getting pretty low response/click-through rates from their users – in the ballpark of 1 to 5 percent. I believe this is creating a false sense of security because most users are accustomed to receiving such emails and know how to handle them by now.
Improving Your Phishing Awareness Program
What's not being properly addressed, however, are attempts to spear phish individuals or smaller groups of people (i.e., within a department) with more legitimate-looking email messages that look to be originating from someone they know inside the organization. On various occasions, I have performed these targeted spear phishing campaigns for clients who are already performing their own email phishing testing and I'm seeing upwards of 40 to 50 percent click-through rates. My clients are often quite surprised with, emotions ranging from embarrassment to anger.
It's human nature to be more accepting of email messages that appear to come from someone you know or trust, especially if it's your manager or an executive in the organization. It's not just the message, but rather the instructions that go along with such messages, such as "click this link and provide x, y, or z information in order to acknowledge the request." It's scary how successful this has been for me and I'm not even that good!
As you build out your enterprise information security awareness/training program, make sure you are addressing email phishing from all the right perspectives. Odds are good that you're leaving some opportunities – and risks – on the table.
It's also important to keep in mind that email phishing is not just a people problem. It's simply an attack vector. However, once the attack is launched, the threat often has several layers of vulnerabilities to exploit, such as poor email filtering, weak malware protection, little-to-no outbound web filtering and a bevy of sensitive information that's accessible for the taking on any given endpoint.
So, email phishing is about your users but, then again, it's also not. Instead, it's about your philosophy as it relates to the perception and ongoing support of your security program, as well as your technical controls across the board.
In the end, make sure you're doing email phishing testing on a periodic and consistent basis. The majority of organizations that I see and read about are doing nothing in this area, even today. It's arguably the greatest enterprise risk, and many organizations are simply ignoring it. Not good for business!
But don't just go through the motions with your standard email phishing templates. Think outside the box – think about how the bad guys can and are
attacking you – and use their level of sophistication. As I am discovering in my own work, it's absolutely amazing how presumably educated and well-trained users are gullible to more advanced attacks. Remember, all it takes is one click and your entire network can be compromised. Everyone is vulnerable, regardless of your level of security maturity.
Kevin Beaver, CISSP is an independent information security consultant, writer, professional speaker, and expert witness with Atlanta, Georgia-based Principle Logic, LLC. Kevin has written/co-written 12 books on information security including the best-selling Hacking For Dummies (currently in its 5th edition).