How can we create a culture of secure behavior?
by Jacki Williams - Product Manager at Wombat Security Technologies - Tuesday, 22 April 2014.
It's a busy day in your company and everyone is rushing around trying to respond to requests. Audrey gets an email that looks like it's from a partner asking her to look into a recently placed order. She clicks on the PDF to check it out. But instead of seeing the partner's order, she sees a landing page from the company's security team letting her know she fell prey to a simulated phishing attack. As she looks around the room, she sees that a few co-workers also have stunned looks on their faces.

If real, such a phishing attack could have put your company's sensitive information—such as usernames, passwords, credit card details or PINs of your customers—at risk. According to data from Kaspersky Lab, phishers launched attacks impacting more than 100,000 people daily last year.

Despite attempts by security software firms to stop them, cybercriminals are getting craftier by the day. A recent scam, uncovered by security firm Symantec, was targeted against users of Google Drive, which is frequently used by businesses for collaboration. Users were sent a message with the subject header "Documents" and directed to a sign-in page that closely mirrored Google's. After they signed in, users were sent to a PHP script on a compromised Web server. This page then redirected to a real Google Drive document, leaving visitors unaware that their login credentials had been stolen.

Based on the startled looks of the impacted employees, the mock phishing attack that Audrey and her co-workers experienced jolted the system, but did it make the company any safer from cyber threats?

Simulated attacks can't stand alone

Phishing impacts thousands of companies each year, but it's not the only issue they face: malware attacks; physical attacks on company data by workers posing as service personnel; and attacks aimed specifically at mobile devices are on the rise, and are just a few examples of the many threat vectors. The mock phishing attack orchestrated by the company's security team provides a wake-up call but isn’t the only security education solution the company needs. Here's why:

You have to worry about more than just phishing. Unfortunately, attacks on data don't stop at users clicking on a link or document in an email from their laptop. For example, access could be granted through a link the user receives via text or information given out by an employee over the phone. Malware can be downloaded through a mobile phone or by clicking something on a perfectly legitimate website.

It only teaches in the moment. Yes, the simulated attack did its job by creating shock factor, but what's next? How can you reduce the risk of it happening again in the same or a slightly different way? Do employees have actionable information about how to avoid the next attack?

It does not measure vulnerability to all attacks. If employees fell for a mock phishing attack, will they also fall for other types of attacks? How can you understand the complete vulnerability of individual employees?

As you can see, simulated attacks can provide value in assessing vulnerability but don't provide the complete answer for CISOs. A more complete approach is needed.

However, one big issue that security officers face is that most employees think they are immune to security threats. Despite the high news coverage that large breaches receive, and despite tales told by their co-workers and friends about losing their laptops for a few days while a malware infection is cleared up, employees generally believe they are immune to security risks. Those types of things happen to other, less careful people.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th