Security Needs to Get Real
By Samuel Greengard
It's human nature to believe that more walls and barriers will protect our castle and thwart dangerous outsiders. Today's IT security tools are largely designed around this concept. They mostly focus on the technical side of protecting IT systems.
However, social engineering has emerged as Business Enemy #1. Trend Micro reports that 91 percent of successful advanced persistent threat (APT) attacks start via spear phishing. Meanwhile, Wombat Security Technologies informs us that 33 percent of Fortune 500 corporate executives, including CEOs, are vulnerable to spear phishing. In many cases, these senior execs are actually submitting their login credentials.
The situation is clearly a mess and a lot of business leaders are in denial. Earlier this year, Tom Cochran, CTO for Atlantic Media and formerly in charge of digital technology for the White House, offered a compelling tale of how he engineered a fake phishing attack within his firm and managed to get half of the firm’s recipients to open his phishing e-mail—and 58 percent of those users actually clicked a fake malicious link.
Cochran conducted the phishing drill because his company, like most, faces a serious but often unaddressed problem: workers don't want to be inconvenienced and constrained by rules, restrictions and controls. Worse, training programs revolving around security often elicit little more than a yawn and then it's back to business as usual.
One solution? Unleash fake phishing attacks to learn who is susceptible and to provide awareness training. This includes every employee, including the CEO. Armed with such information, there's no way that anyone can argue they don't need assistance or don't have the time for it. If they clicked a link and submitted their credentials—and even if they didn't—it's clear there's a big problem here for the enterprise.
When Atlantic Media's Cochran conducted his fake spear-phishing attack, he took the concept a step further. He used the information to achieve critical buy-in and push through a significant policy change that required two-step verification for all e-mail accounts. This includes a password and a code that's sent by text message. As he explained, "Placing someone in a cyber-attack drill is the safest and most effective tactic to build the company's collective security intelligence."