The cybersecurity industry has a problem in how it talks about phishing, leaving organizations – and their employees – at risk. Although phishing attacks originate outside of the organization, many often fail to consider the internal aspect of an attack. We need to talk about phishing as an insider risk.
This is because there’s one thing that all successful phishing attacks have in common: an insider let them in.
Why is Phishing a Human Problem?
When a malicious email reaches your employee’s inbox, it’s already sophisticated enough to bypass your inbound secure email gateway filters. That means that the recipient – your employee – is your last line of defense.
It’s the employee who is faced with an important decision: click the link and enter their credentials or download the attachment containing ransomware (with potentially detrimental consequences) or flag the email to your security team and avoid the incident entirely. It’s a big decision for any employee to make, and the stakes are high: research by Verizon found that 94% of malware is delivered via email.
Using clever social engineering tactics, phishing emails can push even the most diligent employee into getting hacked.
Criminals craft emails to play on psychological triggers. They’ll create a sense of urgency, requesting action or a response straight away to pressure employees into acting before they have a chance to consider the request and its consequences properly. They also play on familiarity, which we see with spear-phishing; impersonation attacks imitating senior individuals belonging to an organization; and through compromised supply chain accounts. Most importantly, today’s phishing attacks are highly plausible, with few immediately obvious signs that there’s anything suspicious going on at all.
The most successful phishing attacks will encourage your employees to behave impulsively and respond on autopilot without stopping to think first.
What Are We Going to Do About It?
By treating phishing as an insider, human-activated risk and implementing the right technology, organizations can more effectively protect themselves against it.
The answer lies with intelligent solutions that adopt a zero-trust model, analyzing the content and context of each email before it reaches the employee’s inbox. Using natural language processing (NLP) technology, advanced solutions can go beyond the capability of traditional secure email gateways to detect even the most sophisticated attacks. NLP can accurately determine the sender’s authenticity, even detecting when cyber-criminals use compromised accounts to impersonate trusted contacts, such as colleagues.
Anti-phishing technology can also support existing security training programs to ensure they have a lasting effect even for employees who have become disengaged. In addition, technology can provide tips and insights to train end-users to understand risk and spot attacks more effectively.
By implementing the right technology and creating a security-positive, empowering culture, organizations can build up one final, robust layer of defense: their people, the human layer.
Jack Chapman VP of Threat Intelligence, Egress
