While figures vary across industry and government as to the size of the “phishing-prone” population in any organization, both sides agree that sustained internal employee training efforts are necessary to cut the success rate of spear-phishing exploits down to more manageable levels.
Cybersecurity exploit tactics tend to wax and wane over time, and as white-hat technology catches up with vulnerabilities, the profitability of certain attack methods decline. But spear phishing – which at its heart relies on tricking an unwary message recipient into clicking on content that then downloads malware and provides an attack path deeper into a network – appears to be standing the test of time.
A whopping 71.4 percent of targeted cyberattacks involve the use of spear phishing emails, according to a 2018 internet security report by software company Symantec. The report found that spear phishing is “by far” the most popular infection vector. Further, the Infosec Institute tracks spear phishing back nearly a decade, which shows it rising to popularity with the 2011 attack at security organization RSA.
Technology stories – once the outer layers have been stripped away – often become human stories. And the enduring vulnerability of human beings remains the sweet spot for phishing attacks.
Sizing the Problem
The size of the population thought to be most vulnerable to phishing exploits is a matter of differing opinion, sometimes divided between the assessments of organizations trying to defend their networks versus those of firms trying to sell services to aid in that defense.
On the industry side, security training company KnowBe4 reports that the population of phishing-prone employees hovers between 30 and 35 percent. With training and awareness, organizations are usually able to cut this number in half, the firm maintains.
At the U.S. Department of Education (Education), agency CISO Steven Hernandez told MeriTalk that the phishing-prone population of the organization is between just 3 and 5 percent of employees – even amid a service provider transition.
“We spend a lot of money building layers of defense from the inside out to protect our organization, and the challenge is if the spear phisher can get an email past all that to the end user and compromise that end point…it gives them a foothold into the organization,” Hernandez said.
Training for Defense
Rosa Smothers, Senior Vice President of Cyber Operations at KnowBe4, explained that frequency, duration, and quality are the most important aspects of security-awareness training. In both the Federal and private sectors, all aspects must work in harmony to educate employees on cybersecurity awareness.
At the Education Department, simulated spear phishing exercises do just that.
CISO Hernandez explained that phishing is the most popular attack vector for cyber criminals. The rise in successful ransomware attacks, for example, is a signal of attackers’ effectiveness and ease with both broad attack and spear phishing techniques.
Despite the agency’s efforts to continually educate staff through annual trainings, there was a clear need for continuous incidental training that doesn’t overly burden employees. So, the department got creative with its approach by putting employees to the test in their real-world settings, rather than in formal training sessions.
“In our situation, the user gets that email. They click on the link or the attachment. They get redirected to a page that says, ‘hey, you just got phished!’” Hernandez explained. “It will say please report this to our security operations center, that’s a very important part of the phishing process, and the second part explains why you got phished.”
Spear phishing training is not only helping employees make good decisions, but also turning them into an aware and energetic final line of defense. Ryan Kalember, Executive Vice President of Cybersecurity Strategy at Proofpoint, said it’s ultimately all about preparing people at the individual level.
“At the end of the day, what we’re doing is we’re protecting people, right? Most Federal agencies don’t realize who the people are inside their organizations that are actually the recipients of the interesting cyberattacks,” Kalember told MeriTalk.
Accessibility is also a big priority in training, he said. “When you’re working with a Federal agency, you have to make sure that you’re able to deliver training to people who might have disabilities in a way that sometimes the private sector doesn’t always pay attention to,” Kalember said.
Emphasis on Realism
Part of the Education Department’s training program’s success stems from its realism. “Our attackers are smart. They not only look at us from the technology perspective, but they look at us from the psychometrics perspective and what works,” the CISO said. “They’re not above using emotion. Frankly, in many cases, they leverage the emotional response to the get reactions they want.”
For example, Hernandez described a spear phishing email exercise deployed by the department in fall 2018. It was an autumn-themed e-card with colorful leaves and Halloween imagery asking the user to click a link in order to view the rest of the card. Hernandez said the department purposely used an emotional hook that pushed the recipient to relax and celebrate. When clicked, the screen alerted the employees that they fell for a phishing attempt.
Education varies the attack methods and increases the difficulty in order to prepare employees for any and all types of phishing attempts. For instance, the agency recently simulated an email from an internal service that was almost identical to what the staff usually receives. The department ran the test twice, and found a 12-point reduction in the percentage of people who fell for the attack the second time around.
“It goes to show that as we continue to get folks exposed to the different phishing methodologies and approaches, folks are catching on,” Hernandez said.
Evolving Training Approaches
Sharpening the focus of training to its most effective result on human behavior is highly valued across both the private and public sectors, and is a central theme in the development of improved training techniques. Tony Holmes, Senior Manager for Public Sector Presales at Pluralsight, explained that traditional training methods aren’t always effective.
“For example, if I’m an organization – whether it be government or private – I can send someone to sit in the classroom for five days. And ultimately, all I know for certain is that they went and sat in a classroom for five days, and they’ve got a certificate saying: ‘we sat in a classroom for five days.’ But I don’t know what they already knew before they went there,” Holmes said. “So how much of that did they have to sit through and have?”
Holmes said the Federal workforce’s inability to train at the individual level is a big problem in security awareness training. Hiring someone and training them up is a much more efficient way to make investments in security training, as opposed to spending time finding the perfect candidate to fill a specific role, he said. Investing in employees as opposed to hiring highly trained specialists can increase retention rates and widen the hiring pool to include employees with a more diverse set of intangible skills.
Security Going Forward
Beyond the spear phishing training program, the Education Department is finding new ways to transform security from an afterthought, and to account for the inevitability of human error.
Hernandez shared that the department has configured its servers to automatically encrypt sensitive emails. After determining that Education most frequently emails other government agencies, the server was programmed to only allow emails to be sent to certain agencies if they are encrypted. While agency management still expects users to manually encrypt, the server can now catch errors and accidents before those mistakes open the door to a possible attack.
The CISO said that the role of his office is not only to help agency employees make good decisions, but also to weave security into the fabric of how people operate. Programs like the mock spear phishing attacks are just a tool to accomplish that.
“The role that phishing plays in that is an ongoing diagnostic tool to see how well we can respond to active threats,” Hernandez said.
The Education Department incentivizes employees at all levels to take responsibility for agency-wide cybersecurity, Hernandez said, including through personal recognition and one-on-one corrective work with supervisors.
“When we look at how to leverage the results, it’s really informing the entire picture around the employee and then what does that mean for the rest of the agency,” Hernandez said. Rewarding the employees with cybersecurity at the forefront of their minds, and providing disincentives for the ones who get it wrong, he added, is what ultimately shapes cybersecurity culture.