Imagine for you’ve been at a company for about 25 years as an account manager, when you first started working there, email was the main communication platform. One day you received an email from your co-worker, Jim, asking for your login to sales database because he had issue with his credentials. You know him so you say sure. Except, that email wasn’t from Jim, it was a cyber thief. The thief was able to steal credit card information from your company’s databases. You learned your lesson the hard way and swore it would not happen again. Now years later one of your subordinates has fallen victim to nearly the same attack. As upper management now, you’re also having to deal with the PR crisis since data breaches have much more attention now. You think to yourself how can this have happened again?
Well, It’s crazy to think about but tactics from the 1980s are still being used for credential theft from major organizations today! You might ask how could this still be happening? Surely, some technology had to have been made to counter these tactics. Well, that’s just it, these tactics continue to exist because of human error, not tech. Credential theft happening through a process called phishing.
Phishing, is where thieves acquire sensitive information from personal computers for malicious purposes; often to gain steal from a company’s database or from people’s personal accounts. Normally, this activity is done by sending emails that appear legitimate from larger institutions such as companies, banks, schools, or non-profits. These emails asks users to enter some sort of credentials or data. While email is the most common form of phishing, thieves usually try to work through all communication channels. Credential thieves take advantage of people’s comfort online and rely on them not noticing slight differences in user interfaces which they engage with regularly.
It really amazing how simple this method is for stealing peoples information. It is successful because regardless of the technological security measures that an organization has in place, phishing at its core relies on deception. Phishing is here to stay as it will continue to evolve.
Phishing has become much more dangerous over time, and phishing emails now often contain ransomware that can affect unsecured computers. Ransomware is malware that blocks users from accessing their files. Thieves, currently, use encryption on all of an infected computer’s files, they demand payment in exchange for the decryption key. Phishing was already a threat to organizations, now the stakes have become higher.
Now that you know all the scary stuff, what can you do to protect yourself from phishing attempts. Within organizations nearly everything about security is affected by vulnerabilities in people, processes, and technology. Arranging the interactions of these elements in a way that promotes security will help protect your organization’s information assets.
Phishing is often successful because of people’s lack of training to recognize it, and at times negligence. This means there is hope for prevention, by way of education. When an employee comes to work they are not explicitly told it is their responsibility to be vigilant and on the lookout for threats. They assume it is a safe environment, and don’t really worry about information security. This laxed attitude towards information security creates the opportunity for phishing to be successful. As an organization consistent training is required for employees to understand what the impacts of a phishing attack means for them and the organization. This means educating employees on what cyber threats look like to them at their desk, and ways they can change. Helping them to understand what indicators to look out for and ways they can help IT keep the organization safe. This applies to even the most technologically adept at the organization. Below you will find some suggestions to guide in your security education program.
Connect the Conceptual & Procedural Context
Understanding of a topic does not often stick for people if they only have either only the big picture or just the procedure. So it is important to provide a conceptual overview of the topic and how that
The CIO in XYZ Inc. is providing a training on insider threat with a focus on phishing. They open the training with icebreakers and introduce the topic of insider threat in layman’s terms. He keeps this part simple but understandable and makes clear what is at stake for the company. He then focuses on what’s important to the users: how it affects them in their day to day jobs.
In this scenario above the CIO did not spend too long on the big picture but kept it simple and digestible for people. Then immediately transitioned to how it applies to their day jobs. Most important here is to keep the discussion as jargon free as possible to make the idea as relevant and accessible to staff as it can be. By combining the conceptual and procedural employees have an understand of not just what their responsibility is but also why it is important.
While not obvious the ability to tell a story during an information session will be far more memorable than academic or technical content. Framing your lesson in character and narrative will help employees form subtle emotional responses with the character. This leaves a more lasting impression than technical content alone will. However storytelling for experienced adult professionals is not so straightforward. Adults are already used to stories that appeal to their emotions from marketing efforts by hundreds of companies. In the workplace, storytelling is more than just a generic emotional response; but rather the storytelling needs to target a very specific set of emotions that produce a sense of urgency. In producing a sense of urgency you create the conditions for behavior change. The specific set of emotions that needs to be targeted will be dependent on your company culture. Storytelling combined with context will help your employees visualize attempted credential theft in action, producing the conditions needed for change.
Imagine, having employees only attend one informational session. They were engaged for that hour and they seemed to get it. Then after that session they just go back to their normal routine. Do you think anything really stuck with them? It would be risky to say yes. Information security is not intuitive, and will need reinforcement over time to achieve desired behavior change. Continuous training does not have the be only information sessions, instead they can integrate with the current routine of employees. To name a few there are web-based modules, quizzes, group discussions, workshops, mentorship, and others. There is no silver bullet here, shape your continuous training program to meet your needs and goals, but it is important to understand one-off information sessions do not achieve behavior change.
Education is an excellent preventative measure to reduce the risk of credential theft and insider threat. Continuous education paired with technology solutions can produce a more secure environment than either one could on its own.