Modern field guide to security and privacy

The race to outsmart corporate phishing attacks

Companies are constantly seeking new – and expensive – ways to protect against criminal hackers. But even the most advanced software can't keep unwitting employees from endangering corporate networks.

|
Ann Hermes/The Christian Science Monitor

The onslaught of high-profile breaches over the past year at companies such as JP Morgan, Home Depot, and Sony Pictures forced businesses to spend exponentially more money to protect themselves online.

However, there's one major challenge to companies' cybersecurity besides the criminal hackers targeting them: their employees.

No matter how much money companies spend – or what kind of new and advanced technology they implement – they continue to struggle to prevent employees from falling for scams that could leave the door wide open for bad actors to steal customer information, hold critical company information for ransom, or even destroy files. 

"The weakest link is people not knowing whether data are critical or intellectual property, or understanding what a suspicious e-mail is," says Steve Rocco, global cybersecurity specialist at MSA Safety, a safety equipment provider.

The recently discovered Dyre Wolf campaign – a series of cyberattacks that stole more than $1 million from a handful of companies – puts a bright light on the importance of employee vigilance. 

Dyre Wolf included malware, but its success relied on their ability to perpetrate an old fashioned scam. The malicious software used in Dyre Wolf was delivered to computers through bogus e-mails sent to company employees. When employees opened the e-mails and clicked attachments, they inadvertently installed a program called Dyre onto their computers.

The program then recognized when users visited bank websites. At that point, Dyre delivered an on-screen prompt indicating the bank site was down and that the user should call the bank directly. When the user called the phone number provided, an English-speaking member of the criminal hacking group took the credit card information. 

The scam has been repeated thousands of times, according to the IBM researchers who discovered it. What's more, it's hardly the only cyberattack of its kind that involves tricking unsuspecting users. In fact, according to IBM, some 95 percent of all attacks involve human error.

But so far, even with all the advances in cybersecurity technology, there's no consensus on how companies can best protect themselves against phishing and social engineering campaigns. 

While some security experts say companies must train employees to spot scams and react responsibly, others say only new technologies can protect organizations from the human errors that leave them susceptible to breaches.

Wombat Security Technologies, a company created by a group of phishing researchers at Carnegie Mellon University, is in the first camp. They provide software to companies that focus on training employees to be more aware of their actions and spot which e-mails could be part of a phishing attack, since this kind of attack often targets individuals who are not tech savvy, they say. 

“A lot of social engineering tactics can’t be identified by technology," says Amy Baker, vice president of marketing for Wombat. "This starts with con artists. There is no technology that can prevent that. People need to learn to identify red flags." 

In order to get people to start paying attention to the warning signs, Wombat uses a simple scare tactic: mock attacks.

Simulated attacks convince employees they’ve fallen prey to a phishing attack. After opening a link attached to an e-mail that appears to be from a client or colleague, an employee is confronted with a message saying the company’s sensitive data is at risk. The attacks are meant to shock employees into realizing how vulnerable they really are to social engineering.

“It can be difficult to find a technology that works against every attack. While malware technologies and cyberattack strategies may change and innovate, the basic human errors that leave a company vulnerable are often the same,” Ms. Baker says.

The company boasts a 46 percent reduction in malware infections among clients. 

The reason, says Mr. Rocco, who is also a Wombat Security client, is that "the weakest link [in security] is people not knowing whether data is critical or intellectual property, or understanding what a suspicious e-mail is."

Despite Wombat’s success, however, some experts say it is almost impossible to train people to identify every single phishing e-mail – especially if the e-mail has been crafted specifically to trick that person.

“If you want to attack somebody it is fairly easy to go to LinkedIn, find out who they are connected with, get to know who they know, and then refer to that person. So it’s about getting a bit of information that an outsider wouldn’t have. That can get people to click on things,” says Phil Lieberman of Lieberman software, a cybersecurity company.

Since they know their employees will make mistakes, the savviest companies are building systems that can survive cyberattacks, Mr. Lieberman points out. One example, he says, is to say “anything sensitive needs to go through a proxy that monitors the traffic." 

Yet regardless of which technology a company chooses, Lieberman says he is convinced that training employees is not enough. “Statistics say people make mistakes," he says. "You need to make fundamental changes in the way the company operates.”

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to The race to outsmart corporate phishing attacks
Read this article in
https://www.csmonitor.com/World/Passcode/2015/0605/The-race-to-outsmart-corporate-phishing-attacks
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe