Why Technology Won’t Save You From Phishing… and What To Use Instead

  • Security

By this time, everybody knows about phishing.
And that’s hardly surprising. Right now, over 90% of data breaches are initiated using phishing or some other type of social engineering.
Remember all those high profile data breaches you read about? Yes, even those household names fell prey to basic phishing campaigns.
So, since phishing has become such a huge issue, what do you imagine these companies are doing to prevent it?
I think you’d be less than impressed with current efforts to address the issue.

Technical difficulties
Here’s the thing. Right now, companies all over the world are investing big time in technological solutions to the obvious cyber threats facing them. But what they don’t realize, is that technological solutions will only get you so far.
You see, no matter how good your advanced spam filters, email authentication protocols, and attachment scanning technologies are, some proportion of phishing emails will always get through. And that’s a huge problem.
According to a leading technology market research firm, the Radicati Group, 112.5 billion business emails are sent every day. With approximately 1.08 billion corporate email accounts worldwide, that means each account receives approximately 104 emails each day. Here’s where things take a turn for the worse.
According to Symantec, more than half of all emails (53.2%) are spam, meaning that on average each business email account is sent 55.3 spam emails every single day.
“Okay,” you might be thinking. “That’s all well and good, but is spam email really such a big deal?” Let’s say a typical organization has around 5,000 employees, receiving approximately 276,500 spam emails each day. Now let’s imagine this typical company employs an advanced spam filter that blocks 99% of all incoming spam emails.
On that basis, 2,765 spam emails will find their way into user inboxes every day. Research suggests that 1.5% spam emails contain malware, and as a result our average organization can expect to be exposed to 41 malicious emails every day.
Not great, right?
And here’s the thing. In this example, we've been extremely conservative. Not only do the vast majority of advanced spam filters fail to block anywhere close to 99% of incoming spam email, we also only considered malicious email that contains malware, which is by far the easiest to detect, and is just one of many phishing strategies.
Other strategies, which include credential theft, drive-by downloads, business email compromise (BEC), holiday themed attacks, and spear phishing, rarely contain malicious attachments, and are much harder to detect.

If Not Technology, Then What?
Now don’t get me wrong, I’m not against cyber security technologies by any means. In fact, I’m all for them.
What most companies don’t realize is that cyber security can’t only be about technology. Technology is great, yes, but it’s not enough to prevent your organization from becoming just another phishing statistic.
Let’s take another look at an average organization. For the most part, users are considered a huge weakness that must be protected using technological controls. But since we now know the technological controls are not enough to combat phishing, we must also realize that protecting users altogether is not a sustainable security strategy.
At this point, you can probably see where I’m heading. If I had to make a guess, I’d say your mind is flashing back to that last dull security awareness training session you were forced to sit through.
You know the one. It was boring, stuffy, totally out of touch with reality, and seemed to go on forever. Unfortunately, if this is your experience of security awareness training, you’re in the majority.
But this has to change.
In a world where threats are ever evolving, often too fast for organizations to react, you users must be prepared to deal with attacks that are designed to prey on human error.

Make it Real
Let’s get down to brass tacks. The idea here is to prepare your users to identify and combat phishing emails. Do you really think that’s going to be done in the classroom?
Clearly not.
No, if you’re going to successfully prepare your users for the threats they will inevitably face, you're going to have to make the training a lot more realistic. Quite simply, you’re going to have to phish them.
Yes, you read that correctly. I’m suggesting that you systematically, consistently, and repeatedly send phishing emails to your own users.
OK, so there’s a bit more to it than that. Not only will you need to regularly construct phishing emails that resemble the latest real-world samples, you also need to provide your users with a simple means of reporting both simulated and real phishing emails, and track each user’s performance over time.
And yes, you’ll need to provide your users with some training first… But perhaps not as much as you might think. At the outset, you’ll want to explain to your users how the program will work, what it’s designed to do, and why it’s important that they engage with the process. On top of this, it also makes sense to provide an overview of what phishing is, what typical phishing emails might look like, and what you want them to do when they suspect an email is malicious.
Beyond this, though, you’ll find that providing too much information can lead to users being overwhelmed. Instead, it’s almost always more productive to get started with your program quickly and allow users to learn as they go.

The Hard Truth About Phishing Defense
As I’ve already mentioned, most organizations prefer to invest in technological controls, rather than addressing the human vulnerability head on.
And there’s a simple reason for that… It’s much easier.
But, as we’ve already seen, it’s also far from sufficient to defend against even the most basic phishing attacks.
If you’ve been paying close attention to this article, you’re no doubt already realizing that a program along the lines I have described is not going to be cheap or easy to setup. Not only will you need to construct an ongoing series of increasingly complex phishing emails, you’ll also need to implement a reporting mechanism that’s easy for users to use, and a comprehensive reporting framework that enables you to identify those users who pose a significant risk to your organization.
Throughout the program users who “fail” each phishing simulation will need to be provided with additional training, and retested to ensure their performance improves over time.
All this is much harder than simply paying for the latest security product. It requires more effort, more thought, but a great deal more consistency. But, and here’s the important part, it actually works.


Guest Blog by:
Dane Boyd