Your cyber security is only as strong as the weakest link in your defence. Unfortunately for organisations such as EasyJet, Facebook and Marriott Hotels, gaps in their security have resulted in major cyber breaches, leading to the theft of millions of dollars, reputational embarrassment and the sacking of several high-profile executives. What these industry giants had in common was that they were all victims of phishing attacks, which continues to be the most significant cyber threat that organisations face across the globe today.
What is Phishing?
The act of phishing is to try and illicit a response from a person or group of people via mediums such as:
- Text (also known as ‘smishing’)
- Phone calls / voicemails (also known as ‘vishing’)
- Social media or,
- a combination of some or all the above.
Spear Phishing targets specific groups, teams or individuals using a more tailored approach, and Whaling attacks specifically target senior management, such as a CEO, CFO, or other executives. Phishing and Spear Phishing are both forms of ‘social engineering’ attacks, which are designed to trick someone into divulging personal or sensitive information, by taking advantage of the victim’s natural tendencies and emotional reactions. The reason why this form of attack is so successful is because the structure and content of these communications are specifically designed to prey on basic human behaviours that we all exhibit. They borrow from the same techniques that people have used for centuries to try and influence others either consciously or unconsciously.
Some examples of the techniques include:
- An urgent request for customer information or significant funds
- Instruction from someone in authority, such as a manager or other senior person
- Using curiosity to engage with the recipient
- Appealing to your compassion
If the subject matter is compelling enough, it can be hard not to spot the attacker’s trap.
Analysis shows that human actions are overwhelmingly at the heart of many vulnerabilities within businesses, and cyber attackers are activity seeking to exploit our human weaknesses to compromise target systems. Often this is through an employee being tricked using social engineering. For example, up to 95% of all attacks on enterprise networks are the result of a successful spear phishing attack, whilst 76% of businesses reported being a victim of a phishing attack in the last year. Furthermore, it has been reported that the average cost of cybercrime to an organisation is now nearly £10 million.
If we can reduce our susceptibility to these attack methods, it will significantly improve our cyber security.
How Do We Address the Problem?
To address the threat, there needs to be a greater understanding of what the threat is, the effect it could have and how we can help to stop it. The most effective way to increase understanding within an organisation is through awareness learning, tailored to suit the needs and requirements of the business. There are a number of excellent learning resources available for organisations and individuals, such as those provided by the UK’s National Cyber Security Centre, the Centre for the Protection of National Infrastructure and the SANS Institute:
A good approach with awareness learning is to start out in a single area initially such as phishing – which is currently the most significant threat to organisations – and progressively expand the subject areas over time to include other areas such as password security, social media, information handling and other relevant subjects. These awareness resources can easily be shared with staff to help act as a talking point and referred back to when checking your staff’s understanding of the risks.
Technology and perimeter controls will always be your first line of defence, and they are incredibly valuable in protecting your organisation from the cyber threats you face. However, there will be times when the attackers get through, and then it is up to your staff to protect you. Only once you have a cyber-aware workforce with a security culture embedded within your organisation, can you be confident in their ability to be your last line of defence.
Security Expert at BLOCKPHISH