Typical office day, the email is flowing, your employees working their way through the vast array of requests as they appear in their inboxes. One such email pops up "IT Security Compliancy Survey - Please Complete". It’s a good title, could be from IT, has an external email address, Itsupport@compliancycheckers.co.uk, it must be from IT. It's written and phrased like your internal announcements, lacking a logo but hey your staff are busy it’s mid-morning, a busy time. Signed from IT support, so yes it’s from IT, a quick survey, 5 minutes of effort, task completed.
So, how many of your staff would follow this link? How many would fill in the survey once they went to an external site? How many would know how to spot a Phishing email?
25%, 50%? We can all think of someone that would, it doesn't mean they’re silly, more likely busy and simply trusting. Phishing traps just are not on their radar, why would they be, what would be the purpose? There are plenty of us with same trusting mentality and are not looking for the trap.
You probably already know this, but that person (or people) you thought of, has just handed over information to an unknown entity. Goodness knows what information they've given, but with most companies currently considering data security as one of the biggest threats to their business it could be a costly 5 minutes work.
So why does this matter? And what can we as business owners, IT managers, do about it, and more importantly, what results do we wish to see?
Advanced Persistent Threats, also known as APTs (not to be confused with ATP) are on the rise, the number of spear-phishing campaigns targeting employees had increased by 55% in 2016*. Hackers' key interest now is data, rather than simply disruption which we've seen in the past. In a world where we're seeing companies who are almost entirely based on intellectual property and the services they create, data has never been so valuable. Hackers know that companies are (hopefully) getting more intelligent and diligent around the protection of their data, so a simple brute force attack is unlikely to succeed, so they have to play the long, persistent game.
With APT attacks a hacker is looking for a way to get any level of entry into a business' secure "inner sanctum". So what's the best way to do this? If systems are designed well, they will follow the rules that are set, and will be very difficult to get around, but people… well we make mistakes, and this is where the opportunity and phishing attacks really come in. People are naturally trusting, they'll go to sites and accept the risks that pop up on the browser as warnings, or they'll follow an email link for security compliancy because they feel they are doing the right thing.
With that, a hacker has information, credentials, malware on your user's device, a route in. From here, they will work to develop greater and greater permissions, until eventually they get to the desired data, extract it, never to be seen again. This could be days or months after the initial user error, so long ago you may have even cleared your logs of the sites that the user visited on that day.
So what can be done? There are many services out there that can help, Advanced Threat Protection (ATP) is at the fore of many security company’s minds now, and offers a business far greater protection. We all know prevention is better than a cure? The best way is to stop these messages before they hit your network, there are services that do just that. But what if one such email gets through? We have to educate. Educate our staff, our customers (they are at just as much risk from Phishing) to be cynical about email communication. To think before clicking, and more importantly, to raise the alarm if there is any doubt.
Going back to the original question, "How many of your staff would follow the link?" Ideally we want to stop the link ever reaching an inbox, if that fails we want not employees who are simply aware enough to ignore this type of email, but who proactively make their IT contact aware of it. That's the real goal, and something we all need to be working towards to help promote a safe environment not only for our company data, but for our employees and customers whatever they are using the internet for work or leisure.
Author: Stephen Old
SME and Managed Hosting Sales Specialist at Claranet
Ref: *Internet Security Threat Report https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-...