Enough with the phishing ‘blame game’ says David Higgins, Senior Director, Field Technology Office at the cyber firm CyberArk.
Phishing is a big problem, and it’s getting bigger as cyber criminals look for new ways to evade suspicion and hook victims. Cyber attackers are extremely agile, trying their luck to infiltrate organisations from every direction – through emails, social media messages, typo squatting, phoney marketing QR codes and more. With threats coming from every direction, employees are always on the back foot and it’s only a matter of time before someone trips up or clicks on something they shouldn’t.
When they do, and phishing attacks lead to a damaging data breach, organisations can some-times feel it necessary to publicly place blame on an employee, instead of looking inwards at their own cybersecurity reinforcement practices. They do so at the risk of discouraging employees from owning up to cyber mistakes risking embarrassment and potential consequences. It’s an approach that delays the company’s ability to mitigate damage as soon as possible.
In fact, according to a report by email security company, Tessian, over a third (36 per cent) of employees have made a mistake at work that compromised their company’s security and a fifth (21pc) lost their job as a result, which is up from just 12pc in 2020. It’s no surprise fewer and fewer employees are reporting their mistakes to security teams. Every business will suffer a phishing attack in its lifetime; it’s purely a matter of when, not if. The whole organisation must make a collective effort to keep identity security tight rather than playing the ‘blame game’. This leaves them to shy away from reporting their mistake instead of learning about prevention for the future.
The “click this, not that” contradiction
In the physical world, we don’t expect citizens to identify shoplifters or challenge those who run red lights. But in the digital environment, employees have become the gatekeepers of online scams. People who don’t work in identity security can be overwhelmed with conflicting advice like “click this, not that.”
For example, HR executives are tasked with reviewing CVs via email, web apps and social media. With so many applications, simply being told ‘do not click on links’ isn’t good enough. Employees of all stripes receive countless emails each day where they’re being told to click links – whether it be to review important company policies or download mandated software updates. Carefully examining each and every attachment or link to detect the malicious from the legitimate with 100% accuracy all of the time is a near-impossible ask.
Embracing defence-in-depth
Maintaining identity security is a team game everyone should be in, and phishing awareness is an important first step. In fact, according to our research, 45pc of UK security leaders identify as one of the top three most effective components of a defence-in-depth strategy as it provides out-of-the-gate protection against ransomware and other advanced threats.
In fact, many organisations send out their own phishing emails to raise awareness for identity security. While this tests an employee’s ability to identify malicious emails, it can disrupt relationships between your senior management and employees – prolonging the ‘blame game’. Phishing prevention strategies based on pointing out individual shortcomings are unlikely to succeed.
Instead, phishing education is where businesses will see the real difference. Helping users understand the real-world ramifications of risky behaviours, such as forwarding personal emails to work accounts, can also help dispel the myth that identity security groups are like seatbelts. Safe, all powerful – there to protect everyone from harm, no matter how fast they’re driving.
In addition, methods that focus on team collaboration to solve the phishing problem, rather than shaming individuals who fail, will go a long way in promoting the team game mentality to-wards better identity security.
What would it take to click without fear?
Cyber criminals are constantly innovating, and their attacks are evolving in complexity. As a result, they will always find ways to get inside your organisation. This is why Zero Trust has gained such momentum. It’s built on the assumption that any identity or endpoint can be compromised. Security must start from an assumed breach mindset, recognising all users – whether they work in HR, marketing, finance, development or even the IT department – are potential phishing victims.
Instead of trying to control every click, focus on enforcing strong authentication everywhere, practising good credential hygiene and consistently following the principle of least privilege (for both human and non-human identities) to help prevent credential theft. Additionally, putting in place allow-listing and application controls can help mitigate malicious downloads.
This identity security approach is not about placing blame; it’s about emphasising awareness and putting the right layered defences in place to quickly find and stop attackers.
Humans are biologically conditioned to blame. When bad things happen to us, we instinctively look for reasons that are beyond our means – and it’s no different with business leaders, especially those experiencing a potentially devastating cyberattack. Even from the outside looking in, we want to know “who done it?”. That’s why major breach reports spark waves of speculation and why human error is a common corporate explanation.
While the phishing ‘blame game’ may help businesses feel better in the short term, it misses the most important point. That is, fault refers to responsibility; responsibility is rooted in trust; and inherent trust – in anyone or anything – must be completely removed from the modern identity security equation.
Creating a positive cybersecurity culture is key to creating a workforce that doesn’t shy away from reporting mistakes – meaning businesses can act quickly to efficiently mitigate any dam-age. It is important for employees to see cyber security as an agent of protection instead of condemnation. Allowing employees to talk openly about their cyber security mistakes, rather than blaming them, can provide excellent company-wide learning opportunities.
