SECURITY SPOTLIGHT
of users reporting bad emails up to 50%.
(FYI, Cofense data shows that the energy
industry leads the region in phishing
reporting – on average, over 16 users
report a simulated phish to every user that
falls susceptible.)
“My mandate was to do everything
necessary to protect the university
community,” the head of information
security reported.
“We invested in technological solutions,
but with 30 years of IT experience, I know
that you need to invest in people, not just
processes and technology. You need to make
them human firewalls.”
He added: “Look at it this way. You can put
five locks on your door, but if you leave the
keys under the doormat, the locks don’t do
much good. Fortifying the human firewall is
my utmost priority. The human element is
the most important part of your defence.”
“
IF YOU’RE
PLACING ALL
YOUR BETS
ON TECH AND
NEGLECTING THE
HUMAN FACTOR,
IT’S GOING TO BE
A LONG, AND VERY
PHISHY, YEAR.
adjustments, he added, “I’m reminded of a
quote from Alice in Wonderland, when the
White Queen was saying, ‘In order to keep
up, you have to run as fast as you can.’”
Removing phishing emails
‘sometimes in five or 10 minutes’
An operational risk consultant with a global
financial company shared with us an
example of employees helping the SOC stop
phishing threats in minutes.
Kamel Tamimi, Principal Security
Consultant, Cofense Inc
“Hey, is this the right payment?”
The cyber-program director of a
multinational utility echoed these remarks.
“My CISO often states that if he had to cut
all of his budget, down to the bare bones, all
that he would choose to spend on would be
awareness and response,” he said. “We had
a scenario where, all the way up to the CEO,
they were ready to make a treasury payment
until somebody finally picked up the phone
and said, ‘hey, is this the right payment to
be made?’ And it was blocked.”
Referring to constant changes in attack
techniques and the need for defensive
www.intelligentcio.com
“I don’t think security is going to be
improved by the next best technology we
put in place, whether it’s an appliance or
a firewall or something that blocks at the
proxy,” she said.
“For example, we had a Word document
with macros slip through our filters, so we
just need to teach the humans that own our
email addresses to be extra-vigilant.”
She continued: “We see some departments
reporting as high as 60% in phishing
simulations, but they also report [real]
malicious emails that go to our cyberdefence
teams – and they get them out of the
network sometimes in five or 10 minutes.”
largest companies said: “In one corner
you’ve got 10 million dollars in defence
perimeter equipment and on the other side,
of course, you’ve got ‘Dave.’
“A machine cannot apply a non-linear
approach to a problem. A machine is just
conditioned to do one thing. But a human-
being with instinct can make decisions that
are a lot more intricate.”
His company too relies on employees to
report actual phishing threats.
“Last month, we saw 33 reported threats
come into our IR inbox,” he said. “When
you consider that a breach could cost US$6
million, that’s a return on investment.”
“What did you do to prevent this?”
The last word comes from another global
financial company: “To not focus on
phishing would be pretty negligent on
any company’s part,” said the company’s
operational risk consultant.
“At the end of the day, if we have a breach
it’s probably going to have stemmed from
some sort of phishing attack.
“When our regulators or clients are asking
us, ‘What did you do to prevent this?’ it’s
important to feel confident that we have an
anti-phishing program in place.”
She noted that inbox behaviour is ‘easily
measurable’. It’s not hard to sustain a
phishing defence program because the
metrics are simple to gather and use to
demonstrate success.
In fact, automation makes it even easier,
allowing program managers to schedule a
year’s worth of simulations in a matter of
minutes. Other automated systems enable
SOC teams to filter and analyse reported
emails quickly, plus remove them from users’
inboxes when verified as threats.
“That’s a return on investment.” Those are smart uses of technology. After
all, machines are great at saving time and
handling repetitive tasks, saving human brains
and intuition for critical decision-making.
Noting the futility of investing in technology
while users remain untrained, a cybersecurity
awareness evangelist at one of California’s But if you’re placing all your bets on tech
and neglecting the human factor, it’s going
to be a long, and very phishy, year. n
INTELLIGENTCIO
43