We know what to do when the fire alarm sounds, but what if the sparks are on our desktop? Developing an active Phishing Campaign for the enterprise is akin to a fire drill practice and should become second nature.
Cyber-crime organisations, nation states and hactivism all use similar toolsets to get what they want. The scatter gun approach is no longer as pervasive as it once was. Intellectual property (aka data) is the new currency and information, as always, is power.
Spear phishing is an example of a laser-like surgical precision attack on one or two individuals within an organisation, on a department level such as Finance or R&D. The truth is that we do not really practice good information security hygiene and are gullible, prone to attack over the very medium we use for our working day.
Credentials
Recent reports show around half the data breach examples were attributed to stolen credentials. The trusted time-honoured username and password combination is, we know, and has been for some time, easily obtained and opens the door to the Pandora’s box of your company’s assets.
Malware
From the same reports, we see a further trend, in that the other half of data breaches were attributed to malware. It is not a huge leap of faith to envisage the combination of malware, stolen credentials and the agenda of an adversarial organisation will open up access to assets considered safe within the now degraded secure perimeters of our organisations infrastructures.
Phish or Duck?
Social engineering does exactly what is says on the tin! It’s is a non-technical way of getting a trusting party to release information, or access to that information (assets), with little or no resistance. After all, we are naturally trusting creatures and trust our work environment. What could possibly go wrong?
Simplicity is most effective
There is an old adage of KISS (keep it simple, stupid). Our adversaries can do this with ease and the measure of their success is tangibly visible in the plethora of Internet Security and Data Breach Reports that dot the Cyber-Horizon every year or quarter.
Would it be foolhardy to assume you would not get deceived in the workplace? Maybe it’s because our ethics and work practices have conditioned us to avoid deception, and operate in a transparent and trusted manner with our peers. Is our traditional approach to security involving People, Process & Technology jaded? Perhaps the corporate infrastructure perimeter has long ago been eroded with our striving to embrace mobility and always-on access to our data assets.
So who are the losers? It starts with us the users, then the board, then the shareholders.
Who is the benefactor? Well we know who it is not – see above. I would suggest that the benefactors of any data breach of theft of intellectual property assets are competitors ultimately. Now the word competitor is a catch-all for anyone not mentioned under ‘losers’.
Collecting results
Depending on the chosen mechanism this can be the most critical part of the exercise.
Measuring results
Demographics can be useful when providing a breakdown of devices used, operating system, regions and departments. A recent exercise we undertook has given visibility to risks we had not previously contemplated. Once the message of non-punitive results on failure is communicated, in my experience the exercises are accepted by the user population. Most results can be actioned on a user-by-user basis, with failed exercises giving the user the opportunity to take a brief two- or three-minute Phishing Training Session.
How often do we do this?
Initially, it may be bi-annually. However, recent events and our subsequent learning from the exercises as iterations proceed may dictate increasing the frequency.
What’s next?
- Step 1: Iterate
- Step 2: Go to Step 1
- Feed into Onboarding Training – New Starters
- Make it second nature, just like the fire drill
- Mandatory – maintenance training every year or every quarter?
The fine detail on all of the above is up to each organisation, according to its structure and processes. The principles are non- negotiable!