By Jason Lamar, Sr. Director, Product Management, Security Business Group, Cisco
What’s at the top of the food chain when it comes to security breaches? People. And, no amount of security awareness training can completely protect an organization against a phishing attack. Even the most security-conscious end user can accidentally click on a suspicious link by accident.
In fact, you might have made this mistake yourself. According to Verizon, U.S. end users open 30 percent of phishing emails, and 12 percent of users click on infected links or attachments. These users aren’t necessarily ignorant or even careless-the reality is that there are a lot of criminals, and a lot of them are very good at what they do.
In our automated world, one bad click can lead to data loss in just moments. And data is everywhere; even small businesses have access to data belonging to their enterprise customers. But even though enterprises subject their vendors’ security practices to due diligence, they have no way to ensure those vendors are maintaining a culture of security. The vendors’ end users make up an attack surface that is hard, or even impossible, to quantify or control.
How can an enterprise defend its assets when data is ubiquitous and the people with access to it are unknown? Should security professionals simply accept that there’s a certain level of foolishness out there, and we just have to live with that?
No. We don’t have to live with that. If people are as important to security as we say they are, there are steps we can take to secure our data against phishing attacks and inside threats.
There’s a person at that endpoint
When security professionals think about securing their end users, they may make the mistake of thinking only of their own organization’s end users. But in a business environment that is increasingly connected and in which data is shared via automation and APIs, many outsiders come in contact with an enterprise’s data. So even if your enterprise has successfully implemented a culture of security, you are at risk if your vendors have not been as rigorous as you. In a world where everyone collaborates and information flows freely, so does malware.
How frustrating. You can invest a ton of time and money into creating a security-conscious workforce, only to have it all tumble down when some savvy hacker figures out they can easily breach your mom-and-pop supplier in order to get access to your corporate secrets. At the end of the day, you’re only as strong as the weakest link in your supply chain.
You may not know if your vendors are really conducting regular security awareness training. You may not know if they’re running phishing drills. You may not know how many of their end users are writing down passwords on sticky notes and sharing passwords with lesser-privileged coworkers. These things are all out of your control. But you don’t have to be at the mercy of others. You can incorporate tools into your own environment that will prevent end users-whether your own or your vendors-from making that fatal click in the first place.
Flip your mindset from protecting assets to protecting people
More security awareness training isn’t the answer if you are already doing it. Instead, users need to be set up for success by security professionals who understand that we can’t train away human fallibility.
The single most important tool an organization can provide to keep its users out of trouble is multi-factor authentication (MFA). MFA not only prevents users from sharing passwords (and therefore, privileges), but also prevents attackers from using any ill-gotten credentials. We know it works; take Google, for example, which has completely eliminated phishing attacks against its 85,000 employees since it began requiring everyone to use a physical token to log on to its corporate systems.
Google’s approach might be hard for smaller organizations to handle, since physical tokens incur costs associated with acquisition and management. The use of mobile applications or one-time passcodes sent via SMS is more common, less costly, and easier to manage. There are other options emerging as well. Adaptive authentication requires additional authentication steps for some users and some assets, and biometric authentication relies on inherent user traits, such as typing habits, to validate a user’s identity.
Emory University, in another example, saw a a 96 percent decline in compromised accounts, and a 92 percent reduction in phishing domains they have needed to block by using MFA.
We can expect to see more creative solutions like these as security experts continue to seek ways to solve the people problem. Security professionals embedded in enterprises should be actively pushing their organizations to give some of them a try.
No protection is perfect, so plan for the inevitable
You can delay the inevitable by training employees not to click on suspicious links and teaching them to tell real emails from fake ones. But you also have to plan for the inevitable because, sooner or later, someone is going to click on a bad link. How much damage that bad link can cause will depend on your level of preparation. Broadly, the two most important things you can do to prepare against phishing attacks are:
· Enforce proper security controls. Make sure you have proper security controls in place, such as least-privileged access, role-based access, and network segmentation. Extend those controls to anyone who works with your data, even if they are outside your organization.
· Deploy MFA. The vast majority of breaches involve stolen credentials, but those credentials are useless to attackers when MFA is in use. MFA is not a costly solution, nor is it difficult to implement. There is simply no reason not to deploy multi-factor authentication, particularly if your organization is handling sensitive data or data that belongs to others.
Your business is part of the data economy. You are not only responsible for protecting your own assets, you’re responsible for protecting your partners. Train your users, set up controls and tools to help them make good decisions, and, above all, have a plan to limit damage when the inevitable occurs.