FINAL WORD
Here’s what organisations tell us
about the human factor.
You could also ask organisations in the
region and across the globe. At Cofense,
we talk to them every day about effective
phishing defence. The following are some
of their insights on thwarting attacks on
humans by empowering them with the right
expertise and tools.
until somebody finally picked up the phone
and said, ‘hey, is this the right payment to
be made?’ And it was blocked.”
“What did you do to prevent this?”
Referring to constant changes in attack
techniques and the need for defensive
adjustments, he added, “I’m reminded of a
quote from Alice in Wonderland, when the
White Queen was saying, ‘In order to keep
up, you have to run as fast as you can.’”
Let’s start with the head of information
security at a Middle Eastern university. A
few years ago, after large-scale attacks by
nation-state actors on other regional targets,
he made human-vetted phishing defence his
number one priority, anchored by a rigorous
phishing simulation program. Removing phishing emails
‘sometimes in five or 10 minutes’.
When he launched the program, users –
students, faculty, administrators and anyone
else using the network – fell for simulated
phish 55% of the time. That number has now
dropped to close to 10%, with the number of
users reporting bad emails up to 50%. “I don’t think security is going to be
improved by the next best technology we
put in place, whether it’s an appliance or
a firewall or something that blocks at the
proxy,” she said.
(FYI, Cofense data shows that the energy
industry leads the region in phishing reporting
– on average, over 16 users report a simulated
phish to every user that falls susceptible.)
“My mandate was to do everything
necessary to protect the university
community,” the Head of Information
Security reported. “We invested in
technological solutions, but with 30 years of
IT experience, I know that you need to invest
in people, not just processes and technology.
You need to make them human firewalls.”
He added: “Look at it this way. You can put
five locks on your door, but if you leave the
keys under the doormat, the locks don’t do
much good. Fortifying the human firewall is
my utmost priority. The human element is
the most important part of your defence.”
“Hey, is this the right payment?”
The cyber-program director of a
multinational utility echoed those remarks.
“My CISO often states that if he had to cut
all of his budget, down to the bare bones, all
that he would choose to spend on would be
awareness and response,” he said. “We had
a scenario where, all the way up to the CEO,
they were ready to make a treasury payment
76
INTELLIGENTCIO
consider that a breach could cost six million
dollars, that’s a return on investment.”
An operational risk consultant with a global
financial company shared with us an
example of employees helping the SOC stop
phishing threats in minutes.
“For example, we had a Word document
with macros slip through our filters, so we
just need to teach the humans that own our
email addresses to be extra-vigilant.”
She continued: “We see some departments
reporting as high as 60%in phishing
simulations, but they also report [real]
malicious emails that go to our cyberdefence
teams – and they get them out of the
network sometimes in five or 10 minutes.”
“That’s a return on investment.”
Noting the futility of investing in technology
while users remain untrained, a cybersecurity
awareness evangelist at one of California’s
largest companies said: “In one corner
you’ve got 10 million dollars in defence
perimeter equipment and on the other side,
of course, you’ve got ‘Dave.’
The last word comes from another global
financial company:
“To not focus on phishing would be pretty
negligent on any company’s part,” said the
company’s operational risk consultant.
“At the end of the day, if we have a breach
it’s probably going to have stemmed from
some sort of phishing attack. When our
regulators or clients are asking us, ‘What did
you do to prevent this?’ it’s important to
feel confident that we have an anti-phishing
program in place.”
She noted that inbox behaviour is ‘easily
measurable’. It’s not hard to sustain a
phishing defence program because the
metrics are simple to gather and use to
demonstrate success.
In fact, automation makes it even easier,
allowing program managers to schedule a
year’s worth of simulations in a matter of
minutes. Other automated systems enable
SOC teams to filter and analyse reported
emails quickly, plus remove them from users’
inboxes when verified as threats.
Those are smart uses of technology. After
all, machines are great at saving time and
handling repetitive tasks, saving human
brains and intuition for critical decision-
making. But if you’re placing all your bets on
tech and neglecting the human factor, it’s
going to be a long, and very phishy, year. n
“A machine cannot apply a non-linear
approach to a problem. A machine is just
conditioned to do one thing. But a human-
being with instinct can make decisions that
are a lot more intricate.”
His company too relies on employees to
report actual phishing threats.
“Recently, we saw 33 reported threats come
into our IR inbox,” he said. “When you
Kamel Tamimi, Principal Security Consultant,
Cofense Inc
www.intelligentcio.com