The FBI found that business email compromises (BECs) last year cost organizations nearly $2.4 billion. Phishing and its variants were the most prolific cybercrime type, resulting in almost 324,000 reports. These phishing incidents and BECs both have one characteristic in common: a focus on employees, the point at which corporate cybersecurity becomes most exposed.
Threat actors will continue to target users because they view them as the weakest link. But with the right communication and training, users can help improve an organization’s overall cybersecurity posture. As we navigate the era of hybrid work, there’s a growing burden on employees to discern the legitimate from the malicious. As the attack surface expands and threats become more sophisticated, there’s a risk that organizations aren’t providing the necessary security training and support for their employees.
Home workers under attack
Home work has become the norm. However, it comes with additional risk. Our research shows that around half of IT decision makers had seen evidence of compromised personal devices being used to access company data over the previous year. The bad guys have ramped up social engineering attacks to take advantage, with more than half (54%) of IT leaders reporting a spike in phishing.
In addressing these trends, we need to inspire, educate, and mobilize employees so they understand the significant role they play in defending the business. Instead, research shows that many younger (18-24-years-old) staff feel restricted by security policy and almost a third (31%) have tried to circumvent it. Making matters worse, when the workforce shifted to homeworking, almost two thirds of workers (64%) were given no additional training on how to protect home networks.
This comes at a time when cybercriminals are working hard to find new ways to trick users. Attackers now use automation to include corporate logos and email signatures in phishing emails, making them appear more realistic and harder to spot. There’s also many extended supply chain vendors working with a typical organization, which makes it harder for employees to remember which outsourcer is being used by their company for which task.
Domains used in attacks are often typo-squatted (i.e. registering domain names that are a slight variation of a particular brand) to appear more convincing. And the introduction of internationalized domains (IDNs) has opened up even more opportunity for trickery, with characters that at first glance appear legitimate but are actually substituted from non-Latin alphabets. That can make it relatively easy to register a highly convincing phishing domain.
Then there are even more sophisticated techniques, such as thread-hijacking. Here, user inboxes are hijacked via phishing attacks, and threat actors use automation scripts to sift through existing conversations in the victim’s email account to identify privileged users. From here, they might take a legitimate document, for example an invoice or an Excel budget tracker, add malware to it and resend it. They could also use this technique to target executives and systems administrators that have sent messages and reply to their emails with malicious content.
A new focus on employee engagement
It’s extremely challenging for a user to spot a phishing email this well disguised, so a security teams need dual approach of comprehensive training alongside state-of-the-art security hardware and software that can prevent, detect, and recover from attacks. A fresh look at employee engagement is required.
Start by opening up two-way communication. IT must listen to users about their challenges, but also explain why certain training or security policies are needed. If employees understand the why, it will help build a collaborative partnership and embed security into an organizations DNA. Everyone will start to take accountability, not just IT.
Comprehensive security education and awareness training programs are a must. First, teach employees what to look out for and how to identify suspicious emails. Show them how to go beyond looking at the name of who has sent an email, and instead at the domain name for the email address. Educate them on domain name structure, and how to read them from right to left to identify inconsistencies. In addition, teach the staff how to spot typos in domain names and URLs.
But with the rise in thread-hijacking, users also need to stay mindful of content from trusted sources. When they get an email from someone internally, or from an external company they have been working with, they need to consider whether it’s a message they expected to receive. Is the email relevant in the context of the email chain? Are email attachments opening as blank or not appearing as expected? If so, then something could be amiss.
Phishing simulations used in training should also reflect this, using current campaigns and social engineering techniques from the real-world to show users why it’s tough to spot attacks. Training should also guide users on what to do post-click, explaining how and who to report incidents to and not to be afraid to do so; of office workers that clicked or nearly clicked on malicious content, 70% didn’t report it to IT. Without notifying IT, there’s a far greater risk of damage being done.
Organizations should provide third-party vendors with official corporate emails to make it easier for employees to know if a vendor is legitimate or not. Combine this with effective deployment of DMARC protocols to authenticate emails and fight BEC.
Education must also work hand-in-hand with endpoint security. Thread-hijacking techniques are often very difficult for even well-trained users to detect. And that’s why endpoint security technologies such as micro-virtualization can help. Based around the zero-trust principle of strong isolation, micro-virtualization ensures risky tasks—like clicking on links or opening malicious attachments—are executed in a disposable virtual-machine separated from the underlying systems. This traps the attackers, ensuring they cannot access sensitive data.
Like workplace health and safety, cybersecurity needs to function as a collective responsibility. Everyone needs to play their part. This means providing up-to-date cybersecurity training and adopting layered endpoint defenses. In the era of hybrid work, nothing less will do.
Ian Pratt, global head of security, HP