The idea that your company is only as good as its employees can be applied to more than running operations, it also has relevance in cybersecurity. Employees have become a number on target for phishing scams and it’s not just the C-Suite that’s in the crosshairs. Hackers are increasingly going after those workers lower on the organizational chart as they seek backdoor ways into the network of a company.
“Even with phishing exercises, we still see anywhere from 10% to 15% of employees clicking on it,” said Grant Bourzikas, Chief Security Officer at McAfee, the Santa Clara, California security software company in a recent interview with The Saas Report. “It continues to be an easy exploitation to achieve.”
Phishing Attacks Date Back To The Early 90’s
Phishing attacks have been around since the early 1990s when America Online was first targeted by a group of hackers who developed an algorithm to generate credit card numbers they would use to create fake AOL accounts. When they were able to create an account they would then spam others online. As email got more popular, scammers moved to that venue, tricking people into offering up personal data. While consumers quickly got wise to scams like the Nigerian money seeking email one, the hackers became ever more sophisticated, creating fake emails and websites that appear to be coming from a legitimate company. As social media took over, the scammers moved there. Known as spear-phishing the bad actors use the information they garner from social media to trick people into clicking on a link or offering up information they shouldn’t.
The bad guys more recently have taken the spear-phishing tactics to the corporate world, zeroing in on companies they want to compromise. They target employees within the business in hopes that they will fall prey to the scam, providing the digital keys to the castle. No companies or industries are immune but there are sectors such as healthcare, finance, and energy, where a lot of phishing activity is happening. According to the Federal Bureau of Investigation’s 2017 Internet Crime Report, businesses lost more than $675 million to business email compromises. Those scams target businesses, usually ones that work with foreign suppliers and regularly perform wire transfer payments, by using social engineering or computer intrusion techniques to engage in the unauthorized transfer of funds.
Know What You Are Protecting
“The executives are extremely savvy at detecting phishing schemes,” said Grant. “Where a lot of the risk is moving is to the front line assistants. That could be a paralegal or a clerical position. Those are the ones more targeted than executives.”
In one common scenario, hackers will target the paralegal that manages the financials for a company, getting access to the information before it is disclosed. In another example, they could go after an investment banker’s assistant to learn about an acquisition before it transpires. Then there are hackers who are working for governments or competitors and are tasked with stealing business secrets or proprietary information. Because there are different motivations for phishing campaigns, Grant said part of an organization's risk assessment has to include determining what information it has that would be valuable to scammers. “Where you start is understanding the crown jewels,” said Bourzikas. Companies have to get into the mind of what the bad guys would want out of the organization and apply the controls there.
Phish Your Employees
In addition to understanding what the bad guys want from your business, organizations have to establish a culture in which employees take cyber security very seriously. Bourzikas pointed to manufacturing as an example of how safety is built into the culture. The business is designed around protecting workers on the production line and making sure diligence is applied to safety measures. Any type of company can create a similar culture around cyber security, ensuring employees know how to be safe online and expected behavior when connected to the company’s network or answering email.
Bourzikas is a big advocate for testing employees with phishing exercises to ascertain if they would blindly click on something or would apply skepticism and caution when opening links in emails. If employees are failing at this, it provides an opportunity for the organization to offer a fresher course or lay out what could have happened if that was a real phishing attack. “Phishing your own employees is important,” said Grant. “Email is more of a privilege. We should be monitoring email boxes so that we protect the organization.”