All the expensive high-tech cybersecurity goodies cannot prevent someone in your employ from clicking a malicious link in an email and opening a gateway to further network exploitation. That is the findings of ProofPoint in The Human Factor Report 2015. The discouraging point for those of us who advocate employee training as an important part of an overall cybersecurity strategy is that in spite of training, people are still more likely to click that link than not. Some of the key findings:
- Cyber-attackers are targeting middle managers in Sales, Finance, and Supply Chain more frequently using customized spearphishing emails.
- Middle managers are 50% to 80% more likely to click through on a link than general office staff.
- Everybody clicks on something, on average users will click on one in every twenty-five malicious emails.
- Attacks are happening during business hours, and top days for phishing are Tuesdays and Thursdays.
- Currently, cyber-attackers seem to prefer email attachments over URL links to malicious websites.
What can be done about this problem? Here are some ideas:
- Since a large percentage of attack approaches are using email, initiating some form of serious email filtering, either from an online service provider, or by installing an email filtering appliance in front of your email server is a good idea. This should, when properly configured, keep most of the malicious phishing emails out of inboxes. This should also be able to detect and quarantine malicious attachments as well.
- Set up an email abuse account for your staff to forward suspicious email to for further investigation. Your IT staff, or a contracted outsource provider, can then examine the attachments and links safely and advise the recipient on the safety of the email.
- Train your staff. Yes we have seen that this does not work as well as we would like, but there are some simple solutions that can become habit, such as challenging emails by contacting the apparent sender and asking for content verification. This can be a simple email or a quick phone call saying “I just got your email, what is this about.” If the person who sent the email knows nothing about the email, then it can be assumed that the sender was spoofed and the email is malicious.
- VirusTotal is a website that allows users to check link and attachments themselves. If you are reading your personal email, self-employed, or running a very small business this is a free solution that could replace some of the suggestions above.
We still believe that training and awareness are your best defenses against cyber-crime. Just as we have all been trained to drive defensively when behind the wheel in our cars, we should be trained to drive defensively when reading our email and browsing the Internet.