Would your staff get hooked by Phishing?

Here is an everyday scenario; your staff all receive an email saying "IT Security Compliancy Survey - Please Complete". It's from an external email address, Itsupport@compliancycheckers.co.uk. It's all written neatly, in the same way that your staff are used to receiving emails for internal announcements. It doesn't have your business logo on it, but it says it's from IT support.

Sit back and think, how many of your staff would follow this link? How many would fill in the survey once they went to an external site? 

If the answer isn’t too many, you’re either on top of your workforce, or you are kidding yourself. We can all think of someone that would, it doesn't have to be that the person who follows the link is stupid, simply trusting. They've not got the sceptical mentality of a seasoned IT professional and let's face it, there's probably plenty of seasoned IT professionals we know who would just as happily fall for this little phishing trap.

You probably already know this, but that person (or people) you thought of, has just handed over information to an unknown entity. Goodness knows what information they've given, but with most CxO's currently considering data security on of their biggest threats to their business we know the board won't be happy.

So why does this matter? And what can we as IT professionals, managers, CxOs do about it, and just as importantly, what results do we wish to see?

Well this matters because of the continued prevalence of Advanced Persistent Threats, also known as APTs (not to be confused with ATP). Hackers' key interest now is data, rather than simply disruption which we've seen in the past. Often disruption is purely a means to an end, and that end is data theft. In a world where we're seeing companies who are almost entirely based on intellectual property and the services they create around this, data has never been so valuable. Hackers know that companies are (hopefully) getting more intelligent and diligent around the protection of their data, so a simple brute force attack is unlikely to succeed, so they have to play the long, persistent game.

With APT attacks a hacker is looking for a way to get any level of entry into a business' secure "inner sanctum". So what's the best way to do this? If systems are designed well, they will follow the rules that are set, and will be very difficult to get around, but people… well we make mistakes all the time, and this is where watering-hole or phishing attacks really come in. People are naturally trusting, they'll go to sites and accept the risks that pop up on the browser as warnings, or they'll follow an email link for security compliancy because they feel they are doing the right thing. With that, a hacker has information, potentially credentials, potentially malware on your user's device. From here, they will work to develop greater and greater permissions, until eventually they get to the data they desire to extract and you'll never see them again. This could be months after the initial user error, so long ago you may have even cleared your logs of the sites that the user visited on that day.

So what can we do? Well absolutely there are services out there that can help, Advanced Threat Protection is at the fore of many security company’s minds now, and offers a business far greater protections. However surely prevention is better than a cure? What we have to do is educate. Educate our staff, our customers (they are at just as much risk from Phishing) to be cynical about email communication. To think before clicking, and more importantly, to raise the alarm.

Going back to the original question, "how many of your staff would follow the link?" what we really want isn't staff who are simply aware enough to ignore this type of email, but staff who proactively make their IT department and management aware of it. That's the real goal, and something we all need to be working towards to help promote a safe environment not only for our company data, but for our staff and customers when they use the internet for personal use as well.