Andrew Rose, CSO at SoSafe, discusses the proactive measures IT leaders can take to prevent phishing attacks on their organisations.
What proactive measures do you recommend for CIOs to prevent phishing attacks on their organisations?
Phishing is still among the top cyberthreats faced by businesses. SoSafe’s Human Risk Review 2023 tells us that 61% of security professionals admit that their company has been a target via email – and I think most feel that’s a low estimate of the reality.
And these attacks are no longer simple lures. Criminals use psychological tactics to draw in victims, influence their behaviour and create unwitting accomplices.
These sophisticated phishing tactics are designed to circumvent technical protection measures, taking advantage of the human factor through emotional manipulation and social engineering. While strong technical security measures are essential, they are no longer enough. Your users have become your primary attack surface so leaving them unprotected is unthinkable. Security leaders need to step up and manage human risk holistically – but they need solutions that help them to proactively identify, quantify, manage and reduce human risks.
Security awareness training and human risk management, based on behavioural science principles, is therefore critical. Training of this kind goes beyond transferring knowledge but instead considers human behaviour in its entirety, including motivational factors, attitudes, context, emotional responses and even cultural influences. It focuses on changing behaviour through positive reinforcement and personalised learning. Multi-channel approaches can also help employees learn through gamification, microlearning, continuous and spaced repetition and storytelling, boosting user engagement and ultimately instilling real behavioural change.
At the same time, security leaders should quantify behaviours and derive an insightful human security or risk score, making it easy to track risk, progress and decide on necessary interventions, both automated and manual, as to support their proactive security strategy. The ultimate goal is not just to tick a compliance box, but to help to guide employees to consistently embrace secure behaviour as part of a broader security culture.
Could you elaborate on the role of employee training and awareness in mitigating the risk of phishing attacks?
Technological protection is indispensable – but it is your people who make the real difference when it comes to risk mitigation.
Up to 25% of phishing emails bypass security filters. Attackers are using more sophisticated and subtle techniques – many now come with no URL, attachment or QR code, hampering automatic detection filters. They are also using different channels to get their content past email filters – we are seeing an increase in smishing, instant messaging and social media attacks. The pace of innovation in cybercrime is intense, and hackers are constantly proving that they can find new ways to infiltrate our systems despite technological defences.
That’s why it’s so important to invest in your people: with strong security instincts, they can respond to all these threats. A strong human layer can respond to ransomware infections, for example, but also to classic business email compromises or scams – and across business and personal domains. For example, we can teach people how to be more secure on social media, but an employer cannot technically secure social media profiles.
Therefore, employee training and awareness is essential. But it’s important to empower your employees to deal with this ever-changing threat landscape. It is not just about whether they click on phishing emails or not – it is also about whether they identify and report changing threats; whether they report when they have engaged in unsafe behaviour without feeling embarrassed to mitigate the damage; whether they see it as part of their responsibility to protect their organisation from digital threats – or whether they put all the pressure on (already overstretched) security teams.
For me, investing in the human layer of cybersecurity is a truly versatile and powerful part of your cybersecurity strategy. It should always be prioritised.
From a CIO’s perspective, what technological solutions or tools are effective in detecting and thwarting phishing attempts?
From a CIO’s perspective, several technological solutions and tools are effective in detecting and thwarting phishing attempts. Key tools include advanced email filtering, which scans and blocks suspicious emails before they reach users; anti-phishing toolbars, which alert users to potential phishing sites; multi-factor authentication (MFA), which adds an extra layer of security to prevent unauthorised access; endpoint protection, which secures devices from malicious attacks; and email authentication protocols like DMARC, which help verify the legitimacy of email senders.
However, it’s crucial to recognise that none of these tools are foolproof. Phishing tactics are continually evolving, and some attacks will inevitably bypass even the most advanced defences. Therefore, investing in a strong human layer is essential to sustainably mitigate cyber-risks.
How do you suggest incorporating multi-factor authentication (MFA) into security frameworks to enhance protection against phishing?
Incorporating multi-factor authentication (MFA) into security frameworks is critical to improving protection against phishing. MFA requires users to provide two or more verification factors to access a resource such as an online account, workstation or database, significantly reducing the risk of unauthorised access even if phishing attempts capture one form of user credentials.
However, in 2022 we saw the arrival of ‘MFA bombing’. This is an excellent example of cybercriminals finding ways around technological defences by attacking the human layer. In the Uber hack, the attackers flooded employees with MFA requests until they got annoyed and gave up access out of frustration. Attackers have also invested in research to bypass MFA in more technical ways, such as using person-in-the-middle attacks to capture and replace MFA codes.
While MFA is an essential component of any security framework, it should not be considered a ‘silver bullet’. To increase its effectiveness, MFA should be integrated into a broader security strategy that includes educating employees about potential MFA-related attacks and encouraging them to remain vigilant.
Considering the evolving nature of phishing tactics, what strategies do you advise for staying ahead of emerging threats?
Organisations need to understand the importance of a security culture. I have already talked about the need to go beyond knowledge transfer and instead focus on empowering people to change their behaviour into secure habits. But all of this needs to be supported by an organisational culture that makes cybersecurity a top priority and a shared responsibility.
Cybersecurity, the emerging threats, the latest hacks and what we learn from them should be a constant topic of conversation – not just for IT and security teams, but for all departments. Leaders must encourage conversations about security, be role models for secure behaviour and training, and create structures and processes that empower employees to practice secure behaviour.
We can’t solve the current cyberthreat landscape by just talking about cybersecurity from time to time. Cybercrime is a highly professionalised industry and cyberattacks are the biggest business risk of our time. We need to engage our people to mitigate these risks, so we need to build security cultures that empower them to do so.
In your experience, what are the key indicators or red flags that CIOs should monitor to identify potential phishing incidents before they escalate?
Every organisation needs content filtering to remove the deluge of spam before it hits inboxes or instant message channels. Filters on average catch 75% of incoming communication threats, removing them to keep time wasting and malicious content away from staff. The content filter will do most of the heavy lifting in keeping the threats away from employees.
The next layer of control, the human layer, will receive any malicious emails or messages that do get through. It’s increasingly difficult for them to rely on traditional red flags such as misspellings, poor grammar, untrusted links or unexpected senders, as criminals use improved technology (including AI) to make their communications believable and convincing.
Therefore, users must also look at the sentiment of the communication and use it as an indicator. For example, is the communication pushing for an urgent response? Does it try to trigger you emotionally? Does it suggest that you operate outside an agreed process? These can be key triggers that should alert a user that something is wrong. Highly aware people are able to control their natural emotional response, take a step back and engage their critical thinking. By investing in this, your employees and their reporting behaviour can also become a strong key indicator of potential phishing incidents.