Tuesday, October 22, 2013

Working Together: Technology and Education Necessary to Prevent Phishing

phishing, courses, information security, trainingI've been in the education business for a long time. I was a public school teacher first, and spent a good deal of effort educating middle school and high school students. Then, years ago, I made a career shift into the information security business and made a career out of teaching employees how to avoid opening their businesses up to the threat of social engineering, phishing, and pretexting.

In both cases, education is necessary for success, and I'm always interested in the ongoing argument in the information security world: Tech or Teaching? Recently, Robert Lemos asked the same question on Dark Reading. Here are some takeaway points from that article.

1) Social Engineering is Real.

According to Lemos, "the arguably more serious espionage attacks aimed at robbing companies of their intellectual property, however, have a slightly different triumvirate of threats, dropping the physical theft of hardware in favor of socially engineering the human side of the business."

This goes in line with what we've been saying at Sight Training all along: social engineering is the path of least resistance, so all serious hackers are going to use it.

2) Education Can Improve Phishing Statistics.

According to ThreatSim, "with regular phishing-awareness campaigns, companies have generally reduced the success of the attacks to the single-digit percentiles, according to ThreatSim." Stopping a spear-phishing email from reaching an employee can be nearly impossible. Spam filters and firewalls only go so far, and spammers always find a way around the technology. So, if companies aren't preparing their employees with great awareness and protecting their employees with great policies, then employees will be hooked.

3) A Layered Approach to Security is Best.

Again, according to Lemos: "Security not about zero percent risk.  I don't think there is a security control out there that guarantees anyone to have a zero percent chance of compromise. But by focusing on your biggest risks, and using defense in depth, you can have the most impact.

Companies will NEVER find a way to prevent risk. No system or cutting edge technology can do that, as long as humans with ever-changing tactics and strategies are perpetrating cybercrime.  Thus, every company must give focus to the areas that have the greatest impact, layering technology and education. The most effective way to handle phishing is to filter out as much as you can but prepare your employees to handle whatever slips through with well-defined policies and rock-solid, ongoing awareness efforts.

More About Corporate Security