With phishing and spear phishing so prevalent as the primary initial attack vector for malware, ransomware, and data breach attacks, why aren’t users getting wise.
There’s no denying that phishing is a problem. With increases in phishing attacks as much as 6000%, cybercriminals have zeroed in on their easiest (and most helpful) part of your security to bypass: your users. Your users play a needed role in attacks – the initial launching of malicious software, scripts, or documents through links or attachments.
Without your users, the bad guys have no ability to infect your environment.
But, it’s not like phishing is something new. Organizations are keenly aware that it’s a problem – so much, that they spend material portions of the IT budget on solutions aimed at detecting and blocking malicious web and email content. Even so, a portion of phishing attacks still make it all the way to the user’s Inbox… and users fall for the well-crafted social engineering incorporated in the phishing attack.
So, why do users still fall for these attacks when they know phishing emails exist and they are a target?
Suelette Dreyfus, an academic specialist at the School of Computing and Information Systems at the University of Melbourne, spoke at Australia’s ITWeb Security Summit this year on the very subject. According to Dreyfus, part of the issue is the massive amount of email received: “Surely, people getting a lot of external mails, would ‘wise up?’ In real life, any awareness of phishing was often overwhelmed by the constant ‘tsunami’ of mails.” Another problem is the
Another issue is the perceived security of the office environment by users. According to Dreyfus, “so, goes the thinking of the employee, there is less chance they’ll encounter a suspicious mail.” It demonstrates that organizations aren’t doing enough educating of their employees through Security Awareness Training about their importance and necessity of their role in the organization’s security.
Lastly, the security culture within the organization is important. According to Dreyfus, “Cyber security has to wrap around the processes of the human, not impose from the top down.” In essence, organizations need to make good cybersecurity practices an integral part of a user’s everyday functions. This, too, is stressed within Security Awareness Training.
Users remain the weakest link in your security strategy. It’s time to “patch” this vulnerability through proper education, teaching users not just what to do to avoid becoming a victim, but why as well.