A year in review: Phishing, security and culture

A year in review: Phishing, security and culture

Javvad Malik, Lead Security Awareness Advocate at KnowBe4, shines a spotlight on some of the lessons we can take from the last year and highlights how important it is to have a collaborative security department to lay the foundations to get the wider workforce on board with cybersecurity.

With the year coming to a close, it’s the perfect opportunity to review the cybersecurity events that have occurred over the past 12 months and through this lens understand how we can improve our ability to prevent the most common attacks in 2023 and beyond.

Right off the bat, 2022 was another critical year for cybercrime. Threat actors continued to leverage multiple avenues to commit their attacks, resulting in the average cost of a data breach increasing slightly this year from US$4.24 million in 2021 to US$4.35 million in 2022. Businesses across all sectors and industries have been impacted with significant breaches, including recognised names like the NHS, Medicare, the Cash App and Red Cross. Then there was the cybercriminal gang LapsuS$ which claimed responsibility for a host of attacks against technology companies including T-Mobile, Okta, Microsoft and Samsung.

Even entire countries have been brought to a halt with Costa Rica’s Ministry of Finance hit by a Russian-linked cyber gang, resulting in a national emergency being declared. Of course, geopolitics and the overall tensions across Europe have played a part in the number of attacks witnessed on energy companies or critical infrastructure providers.

One thing is certain; cybercriminals have no plans to slow down and they’re getting better at targeting the most vulnerable aspect of an organisation’s defence: the workforce.

This year’s Verizon Data Breach report stated 82% of breaches involved a human element, including social attacks, making phishing the most popular attack method used by cybercriminals. And there have been regular examples of this in 2022. Twilio revealed it had been hacked after an employee was duped into handing over their credentials in a voice phishing attack. Dropbox workers were targeted by a phishing campaign that resulted in compromise of 130 of the company’s GitHub repositories after one worker fell victim. We then saw a smishing attack from a self-taught hacker resulting in Uber being hacked.

There are a wide variety of phishing techniques that are designed to steal information, manipulate people, or gain access to systems. It’s no wonder we’ve seen an increase in the number of successful phishing attacks in 2022, but this also indicates there is a systematic flaw which is not being addressed.

The flaw: humans are very curious animals and this behaviour is something that technology can’t change as it’s an evolutionary habit or reflex. For instance, when a letter arrives through in the post, we instantly go to the door, pick it up, see our name and open it. We have little to no idea who the sender is (unless a logo is printed on it). This habit or thought process is the same one hackers aim to trigger when they send their phishing scams. Sadly, they are having some success.

2023: The year for security culture

The attacks mentioned above are similar to the millions of other phishing attacks impacting both organisations and normal people. Technology, for once, isn’t the answer. Within organisations, we need a change in culture and psychology because security awareness extends further than the technology layer. In fact, it begins with how a security department builds its security culture using three key components: brand, approach and culture.

The brand is related to how the security department within the organisation is viewed. You don’t want them seen as a department of no or as a barrier to progress. Instead, ensure they communicate their reasonings while offering alternatives to their ‘no’s’. Having a security department that is collaborative will lay the foundations to get the wider workforce on board.

This then feeds into the approach, particularly with how security professionals interact with the wider workforce. You always want a positive relationship. So, with security awareness training, avoid sending reams upon reams of security policy documentation without warning, nor berate individuals if or when a malicious link is clicked. Security awareness training also needs to be provided in a timely manner. There is little value in telling someone three weeks after an action that they did the wrong thing. More contextually relevant training will be more effective.

Continue to create dialogue, build a healthy positive relationship and inform them of their collective responsibility to protect themselves and the organisation. Security awareness is built upon empathy, education and engagement so conveying this transparently will increase the chance of the messages being delivered and understood across the wider workforce.

These then feed into the desired culture of the organisation, which is more entwined with security than some may believe. Arm someone with the knowledge of what to look out for in a phishing email and you have prevented a significant attack. Do that with the entire workforce and the level of risk posed to the company is dramatically reduced.

Support the culture with processes, assessments and technology to make it easy for the everyday worker to make the right decisions at the right time. By regularly testing their susceptibility with simulated phishing attacks, you can measure their Phish-Prone Percentage (PPP) which will highlight where the weaknesses may lie. Take this a step further by deploying real-time security coaching where staff receive live security coaching and tips in response to any risky security behaviours that may have been flagged or detected.

Over time, security champions will begin to appear and these individuals can be the shining examples for others to follow. Remember to continue to encourage them, use positive reinforcement and reward those that excel. By having the workforce take pride and care in security you will notice the security awareness and culture amplify and this will give the ideal platform to grow and sustain the business’ long-term future.

With social engineering attacks growing, people and organisations are being manipulated and duped daily. Unfortunately, enterprises are spending less than 3% of the security budget towards securing the human layer. The worst aspect is many of the cyberattacks we see are avoidable because they just require people to elevate their cybersecurity knowledge. I can only hope in 2023 we start to see improvements in security culture, and I am optimistic, especially as more content and services are made available to help deliver security awareness.

Browse our latest issue

Intelligent CISO

View Magazine Archive