Recent Posts

Recent Blog Posts

The PhishLabs Blog

It Only Takes One to Detect or Infect

Posted by Bart Collida on Mar 5, '19

report phishIt’s time to take action against phish! Phishing attacks are no longer few and far between, they are the norm.

Regardless of your company’s investments in filtering technologies and countermeasures, suspicious and malicious emails make it into employee inboxes. It only takes one to cost your company time, money, and lost reputation.

Unfortunately, even with traditional security awareness training, when end users receive a well-crafted and interesting email, they click on it. They likely won’t delete it and are even less likely to report it. For most organizations, reporting suspicious emails is not the first choice. This needs to change. But even reporting is not enough. Why? Because it only takes one.

Security awareness is when employees recognize a suspicious email for what it is and delete it. That’s a step in the right direction, but with thousands of employees, it only takes one user to click a link in a suspicious email to infect your entire network. In our industry, it’s a known fact and no amount of buzzword-fueled security approaches such as AI will defeat the ever-evolving threat actor. With attacks increasing on financial, healthcare, consumer services, and other industries, companies can’t stop at just being aware. The minimum requirements are just that, the minimum. Organizations must be proactive and vigilant and that means empowering users.

Security vigilance is when employees recognize a suspicious email and report it to security operations. With thousands of employees, it only takes one to forward the suspicious email, and in turn proactively protect the entire network. That’s a huge difference. So how can your company achieve this?

Transitioning from basic security awareness to advance security vigilance is the key to turning the tables on threat actors. What this means for your organization is that it’s time to reevaluate how users are being trained and the goals of the program.

More Frequent, Less Time Consuming

Being vigilant and not just aware of possible security breaches requires more than once a year or quarterly training. Instead, I recommend a short, focused, and frequent approach to training as an effective way to change end user behavior and get them to report suspicious content. This strategy is based on sound psychological findings.

According to German psychologist Hermann Ebbinghaus’ Forgetting Curve, you forget 60 percent of what you learned after just one day. For those over 30 years old, this dwindles down to only 20 percent. Ebbinghaus founded these principles over 100 years ago and his findings are proven to apply even more in today’s day and age. A correlated concept to the Forgetting Curve is Spaced Repetition, which is the proven scientific way to efficiently improve memory and, in our case, change end user behavior to encourage them to report suspicious emails. Spaced Repetition is a learning technique that incorporates frequent review of learned material.

Faster Response Times

If users are expected to go beyond the minimum, security teams should, too. After an employee reports a suspicious email, it’s important for security teams to be ready and staffed to act. This is important for two reasons: 1) a prompt reply to the employee rewards and reinforces their good behavior in reporting the email. 2) a quick analysis of the suspicious email allows security teams to look for similar but, unopened related emails in their environment.

The analysts I work with typically see phishing campaigns that target more than just one individual in an organization, so it’s really a race against the clock before someone clicks on a similar email. With thousands of employees, it only takes one to infect or protect your environment. I also recommend a well thought out search and destroy strategy to find these unopened malicious emails and proactively remove them from employees’ inboxes. This means your team needs to take the analyzed data from confirmed threats and see who else within the network received it. Then take that data to destroy the threat from anyone else’s inbox.

Finally, I recommend that organizations subscribe to a phishing indicator of compromise data feed to continually update your countermeasures with the latest documented phishing attacks. This helps ensure your investments in URL and email filtering are providing the best blocking possible.

We both know that in a perfect world employees and users will be security vigilant. It takes a strong foundation, but organizations do it every day. Just as important, security teams need to plan for larger volumes of submitted emails and be staffed to handle the volume as the training program shows progress. Our data shows that a security vigilant organization will find about 97 percent of submitted emails will be spam and not malicious. But that’s ok as this is your last line of defense. Remember, we’re talking about the emails that make it through all of your other security controls and countermeasures that you have in place.

This is truly were the rubber meets the road.

Topics: security awareness training, Phishing Incident Response

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all